• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 976
  • Last Modified:

Active Directory Auto-locks Accounts

Points of my Scenario:
1. I am admin of a Windows Server 2003 domain
2. Over the past three days, user accounts in Active Directory have been randomly locking (& repeatedly)
3. I don't think users are lying about exceeding the "Account lockout threshold" - since this is happening to multiple, unrelated users at the same time.
QUESTION: How can I determine the cause and resolution for this strange phenomenon?
0
waforbes100
Asked:
waforbes100
4 Solutions
 
Frank_AlphaserveitCommented:
this is most likely due to those accounts being used in services or sessions with expired/cached passwords.
0
 
nsx106052Commented:
I would check through the security logs on the domain controllers for failed log in attempts. From there you can pin point the location.  Then investigate the machine to see if it was invalid logins, stale passwords or a scheduled task.  
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Mike KlineCommented:
You can look at this good blog entry that has links to some Microsoft tools and other suggestions

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

However, if it is a bunch of random accounts in AD I'd look for a malware/virus...specifically conficker which has been a big culprit the last few years when it is random.

If it was a service it would just be a few accounts not a bunch of them like this.

Thanks

Mike
0
 
Donald StewartNetwork AdministratorCommented:
0
 
AmitIT ArchitectCommented:
Download Account lock out tool from MS
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Use EventComb and run it agains your DC. Select Security and Failure options. Enter the user name in the text box and hit search. It will create a text file and you can find from which machine it is getting locked out. Later run aloinfo.exe to on the machine from where it is getting locked out. This will tell you if any process or task is configure with that account.

Finally, if you are unable to find the root cause. Just goto ADUC>Find that user>Click on Account Tab>In front of account name append 1

This will stop any further lockout issue for this user.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now