[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1066
  • Last Modified:

AD Account - Repeatedly Locked Out

I have a specific users AD account which is continuously getting locked out approx. 15-20 times a day.

Is there any way I can audit from which station or IP address the account is getting locked out from?

Thanks in advance for any help or suggestions.

:)
0
Suncore
Asked:
Suncore
1 Solution
 
Sekar ChinnakannuStaff EngineerCommented:
Search for Event ID 4740 and it helps you where the account got locked.Filter it in your domain controller. from there you can see the account name and server name where it get locked.
0
 
ReubenwelshCommented:
Hi, this article goes through what you need to know pretty well :).

http://www.windowsecurity.com/articles/windows-active-directory-auditing.html

Cheers
Reuben
0
 
Gaurav SinghSolution ArchitectCommented:
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
abhijitwaikarCommented:
A malicious user may be attempting to logon to the machine by "brute forcr"ing the password.

The SAM event indicates that the enough attempts were made on the administrator account to cross the Account lockout threshold. As the administrator cannot be locked out, this event is logged instead. A machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.

For more information about troubleshooting account lockout issue, you can use Account Lockout and management Tools to help rule out the root cause of this issue.

USe Account Lockout and Management Tools link is already provided by systechadmin

Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0
http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585 

Event ID 12294 — Account Lockout
http://technet.microsoft.com/en-us/library/cc733228(WS.10).aspx

Regards,
Abhijit Waikar.
0
 
DaeltCommented:
i bet the user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.

Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).
0
 
pravin_abhale11Commented:
Hi go through the below link and download the EventCombMT tool

http://support.microsoft.com/kb/824209 


then go to Serches-----> Built in searches ---> Account lockouts

then add the user id which is going frequently lock out in the text ..  then search.

you will get the details which systems get the lockout.

their may be virus on the one system which is locout the account.


0
 
SandeshdubeyCommented:
Here are two toolsets that can help

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
and
http://www.netwrix.com/account_lockout_examiner.html 

Take a look at this blog from about account lockouts, goes over some good Microsoft tools

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
0
 
SuncoreAuthor Commented:
Daetl thank you, the user changed their password but had not updated the exchange settings on their iPhone, which was locking out the account just as you suggested.

Thank you all for your help.
0
 
DaeltCommented:
You're welcome, this kind of issue has been more and more frequent those last years with smartphones invading the market.
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now