Active Directory - Account keeps getting locked.
Hello .. need some help if you guys can ..
Anyone have a script or tool to find out what resource is locking a domain user account ?
User changed their password , but the old password was hard coded to run scripts or services on some servers. How would you find
out what is locking the account ?
Anyone have a script or tool to find out what resource is locking a domain user account ?
User changed their password , but the old password was hard coded to run scripts or services on some servers. How would you find
out what is locking the account ?
You can run a query on your security logs on AD to show you what computer is trying to use it. This would most likely give you a very good hint if it was a server holding a single role.
You could do something simple in powershell to get some raw data parsed out easily:
$Logs = get-eventlog "Security" | ?{$_.[column you choose].contains("Administ
Something like that. I'm not able to get into my domain controller because I'm not at work, but you can work with the code a little bit to create something for your own environment pretty easily. Remember to run this on your domain controller.
HTH,
Dale Harris
You could do something simple in powershell to get some raw data parsed out easily:
$Logs = get-eventlog "Security" | ?{$_.[column you choose].contains("Administ
Something like that. I'm not able to get into my domain controller because I'm not at work, but you can work with the code a little bit to create something for your own environment pretty easily. Remember to run this on your domain controller.
HTH,
Dale Harris
Take a look at this blog from about account lockouts, goes over some good Microsoft tools
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
Thanks
Mike
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
Thanks
Mike
Try Account Lockout and Management Tool.
Microsoft provides a free set of tools called Account Lockout and Management Tools which you can download as the self-extracting file ALTools.exe from the Microsoft Download Center.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
More info about AL tool:
http://www.windowsecurity.com/articles/implementing-troubleshooting-account-lockout.html
Thanks,
AbhijitW.
Microsoft provides a free set of tools called Account Lockout and Management Tools which you can download as the self-extracting file ALTools.exe from the Microsoft Download Center.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
More info about AL tool:
http://www.windowsecurity.com/articles/implementing-troubleshooting-account-lockout.html
Thanks,
AbhijitW.
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm
On th DC check the security log event id 644 will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.
If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007
Also make suer that all the PC as well are server are patched and latest verus defination is present all PC.
Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
You can also install Account Lockout and Management Tool:http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
http://4sysops.com/archives/free-account-lockout-tools-view-lockout-status-and-unlock-account/
On th DC check the security log event id 644 will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.
If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007
Also make suer that all the PC as well are server are patched and latest verus defination is present all PC.
Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
You can also install Account Lockout and Management Tool:http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
http://4sysops.com/archives/free-account-lockout-tools-view-lockout-status-and-unlock-account/
ASKER
Hi Dale
I like this option since I dont have to install any additional software , but I cant get it to work .. can you check it on your DC if you are able to ?
$Logs = get-eventlog "Security" | ?{$_.[column you choose].contains("Administ
[column you choose] what do I enter here ?
("Administrator") I enter the account ID that I want to check here ?
I like this option since I dont have to install any additional software , but I cant get it to work .. can you check it on your DC if you are able to ?
$Logs = get-eventlog "Security" | ?{$_.[column you choose].contains("Administ
[column you choose] what do I enter here ?
("Administrator") I enter the account ID that I want to check here ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Miles,
Try this blog to get you going. I'm not sure exactly how far you want to take this, so this will definitely help you out. It's the Microsoft Scripting Guy and he's a wealth of information.
http://goo.gl/D8wzh
Excerpt from website:
get-eventlog System | where-object {$_.EventID -eq "6005"}
This is pretty much the same way I'm telling you to do it. They expand my ? with "where-object". Also they are filtering by EventID which you can do as well. That just refers to the actual property value.
One of the ways you can get all the types of properties/methods for the event log try this:
$Log = get-eventlog Security
$Log | gm
Then look under properties and you'll be able to see the different ways you can ask for information.
HTH,
Dale Harris
Try this blog to get you going. I'm not sure exactly how far you want to take this, so this will definitely help you out. It's the Microsoft Scripting Guy and he's a wealth of information.
http://goo.gl/D8wzh
Excerpt from website:
get-eventlog System | where-object {$_.EventID -eq "6005"}
This is pretty much the same way I'm telling you to do it. They expand my ? with "where-object". Also they are filtering by EventID which you can do as well. That just refers to the actual property value.
One of the ways you can get all the types of properties/methods for the event log try this:
$Log = get-eventlog Security
$Log | gm
Then look under properties and you'll be able to see the different ways you can ask for information.
HTH,
Dale Harris
ASKER
Thank you !
Generally if this is set up in say 3 attempts, the user account becomes locked.
It may be one of your scripts has tried the old password to invoke the above policy (if enabled)