Solved

How to tell what is locking an account out

Posted on 2011-02-14
7
542 Views
Last Modified: 2012-06-21
I have a service account that runs scheduled tasks and services.  It is being locked out every Saturday at 11 PM, but I don't know what is locking it out.  I'm needing to know what machine/IP the invalid attempts are coming from.  I know Microsoft has the Account Lockout & Management tools, but I'm running Active Directory on Server 2008.  Will these tools still work?  If so how do I put them in place?  Is there a better option out there?
0
Comment
Question by:jdouthit
  • 3
  • 2
  • 2
7 Comments
 
LVL 7

Accepted Solution

by:
Cuteadder earned 500 total points
Comment Utility
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

event comb will scan all your Domain controllers and tell you what computer and what type of event...
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
Those tools should still work...haven't put them on a 2008 box myself.   A network trace can also help in these situations (netmon or wireshark).

Not sure if you have seen this blog but it is a good overview   http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx?wa=wsignin1.0

Thanks

Mike
0
 

Author Comment

by:jdouthit
Comment Utility
What criteria should I be entering in eventcomb to search for the failed attempts?  I don't know what Event ID this would produce.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 7

Expert Comment

by:Cuteadder
Comment Utility
there's a preset for looking for locked out accounts and the events around it...

do that and post the results
0
 
LVL 57

Expert Comment

by:Mike Kline
Comment Utility
0
 

Author Comment

by:jdouthit
Comment Utility
I used the preset search for locked accounts on event comb, but it didn't find anything.  The account was locked out on 2-12-11.  Our event logs fill up so fast we usually only have items for the last 4-6 hours on a business day.
0
 
LVL 7

Expert Comment

by:Cuteadder
Comment Utility
unlock the account and next time it locks out jump on the issue..
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now