AD Account - Repeatedly Locked Out

I have a specific users AD account which is continuously getting locked out approx. 15-20 times a day.

Is there any way I can audit from which station or IP address the account is getting locked out from?

Thanks in advance for any help or suggestions.

:)
LVL 2
SuncoreAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sekar ChinnakannuStaff EngineerCommented:
Search for Event ID 4740 and it helps you where the account got locked.Filter it in your domain controller. from there you can see the account name and server name where it get locked.
ReubenwelshCommented:
Hi, this article goes through what you need to know pretty well :).

http://www.windowsecurity.com/articles/windows-active-directory-auditing.html

Cheers
Reuben
systechadminConsultantCommented:
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

abhijitwaikarCommented:
A malicious user may be attempting to logon to the machine by "brute forcr"ing the password.

The SAM event indicates that the enough attempts were made on the administrator account to cross the Account lockout threshold. As the administrator cannot be locked out, this event is logged instead. A machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.

For more information about troubleshooting account lockout issue, you can use Account Lockout and management Tools to help rule out the root cause of this issue.

USe Account Lockout and Management Tools link is already provided by systechadmin

Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585 

Event ID 12294 — Account Lockout
http://technet.microsoft.com/en-us/library/cc733228(WS.10).aspx

Regards,
Abhijit Waikar.
DaeltCommented:
i bet the user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.

Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pravin_abhale11Commented:
Hi go through the below link and download the EventCombMT tool

http://support.microsoft.com/kb/824209 


then go to Serches-----> Built in searches ---> Account lockouts

then add the user id which is going frequently lock out in the text ..  then search.

you will get the details which systems get the lockout.

their may be virus on the one system which is locout the account.


SandeshdubeySenior Server EngineerCommented:
Here are two toolsets that can help

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
and
http://www.netwrix.com/account_lockout_examiner.html 

Take a look at this blog from about account lockouts, goes over some good Microsoft tools

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
SuncoreAuthor Commented:
Daetl thank you, the user changed their password but had not updated the exchange settings on their iPhone, which was locking out the account just as you suggested.

Thank you all for your help.
DaeltCommented:
You're welcome, this kind of issue has been more and more frequent those last years with smartphones invading the market.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.