Solved

Active Directory Auto-locks Accounts

Posted on 2011-03-25
6
968 Views
Last Modified: 2012-05-11
Points of my Scenario:
1. I am admin of a Windows Server 2003 domain
2. Over the past three days, user accounts in Active Directory have been randomly locking (& repeatedly)
3. I don't think users are lying about exceeding the "Account lockout threshold" - since this is happening to multiple, unrelated users at the same time.
QUESTION: How can I determine the cause and resolution for this strange phenomenon?
0
Comment
Question by:waforbes100
6 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 80 total points
ID: 35215135
0
 
LVL 3

Assisted Solution

by:Frank_Alphaserveit
Frank_Alphaserveit earned 55 total points
ID: 35215249
this is most likely due to those accounts being used in services or sessions with expired/cached passwords.
0
 
LVL 12

Expert Comment

by:nsx106052
ID: 35215296
I would check through the security logs on the domain controllers for failed log in attempts. From there you can pin point the location.  Then investigate the machine to see if it was invalid logins, stale passwords or a scheduled task.  
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 57

Assisted Solution

by:Mike Kline
Mike Kline earned 65 total points
ID: 35215370
You can look at this good blog entry that has links to some Microsoft tools and other suggestions

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

However, if it is a bunch of random accounts in AD I'd look for a malware/virus...specifically conficker which has been a big culprit the last few years when it is random.

If it was a service it would just be a few accounts not a bunch of them like this.

Thanks

Mike
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 35215372
0
 
LVL 42

Accepted Solution

by:
Amit earned 300 total points
ID: 35215715
Download Account lock out tool from MS
http://www.microsoft.com/downloads/en/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Use EventComb and run it agains your DC. Select Security and Failure options. Enter the user name in the text box and hit search. It will create a text file and you can find from which machine it is getting locked out. Later run aloinfo.exe to on the machine from where it is getting locked out. This will tell you if any process or task is configure with that account.

Finally, if you are unable to find the root cause. Just goto ADUC>Find that user>Click on Account Tab>In front of account name append 1

This will stop any further lockout issue for this user.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Questions about DHCP migration 5 60
Special copy setup request 8 50
no GUI domain controller 2 39
Enterprise Mode 4 29
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question