hlmarine
asked on
Random AD Account Lockout
Hi Expert,
I am facing random AD account lockout problem. Is there any way which I can trace from the client or from the server what application are authenicating the AD which result in account lockout due to wrong password?
I am using two DCs. 1 is Windows 2008 Std R2 and another is Windows 2003 Std R2. I think the DC which always lock out the AD accounts is from 2008.
It happens 2 or 3 months back. The effected clients are Windows 7. Same users were lockout a few time per day. I think about 10 of them are effected.
I am facing random AD account lockout problem. Is there any way which I can trace from the client or from the server what application are authenicating the AD which result in account lockout due to wrong password?
I am using two DCs. 1 is Windows 2008 Std R2 and another is Windows 2003 Std R2. I think the DC which always lock out the AD accounts is from 2008.
It happens 2 or 3 months back. The effected clients are Windows 7. Same users were lockout a few time per day. I think about 10 of them are effected.
Have you tried the account lockout tool?
http://www.microsoft.com/en-us/download/details.aspx?id=18465
http://www.microsoft.com/en-us/download/details.aspx?id=18465
1. Run LockoutStatus.exe against the account that is frequently locking.
2. Check for the most recent bad password hit.
3. Go to the security event logs where bad passwords are reported
4. search for the Audit Failure log on the exact time shown in LockoutStatus.exe
5. That log should have a Client IP which is your target system or root cause of bad password.
6. If you want to dig further more, some times you may see a PID section which you can trace in task manager as well.
2. Check for the most recent bad password hit.
3. Go to the security event logs where bad passwords are reported
4. search for the Audit Failure log on the exact time shown in LockoutStatus.exe
5. That log should have a Client IP which is your target system or root cause of bad password.
6. If you want to dig further more, some times you may see a PID section which you can trace in task manager as well.
ASKER
Thanks for all the quick response. I have tried ALTools. Will try it thoroughly again this time.
But need to double confirm the below points. Because I read from many forum with different guides that confusing me.
1. Run LockoutStatus.exe from the client computer or any computer? I notice I can run it on my computer and select the user I want to check (example the user which is facing lockout problem).
3. Check the security event logs from the client computer or domain controller?
But need to double confirm the below points. Because I read from many forum with different guides that confusing me.
1. Run LockoutStatus.exe from the client computer or any computer? I notice I can run it on my computer and select the user I want to check (example the user which is facing lockout problem).
3. Check the security event logs from the client computer or domain controller?
AD1) Does not matter on which computer you will run it. Just specify user and the tool will discover DCs on which it was locked
AD3) DC. But for that use another AL Tool, EvencombMT it will allow to check security log of each DC
Krzysztof
AD3) DC. But for that use another AL Tool, EvencombMT it will allow to check security log of each DC
Krzysztof
ASKER
For one part..
I need to install/register ALockout.dll on the user computer which always face bad password problem. Can it be run on Windows 7 32bits and 64bits?
I need to install/register ALockout.dll on the user computer which always face bad password problem. Can it be run on Windows 7 32bits and 64bits?
32 bit for sure as it is 32bit tool but I'm not sure if it would work with 64 bit OS (never tried that)
Just check and let us know :)
Krzysztof
Just check and let us know :)
Krzysztof
ASKER
Thanks for the fast feedback. Will try ...
ASKER
I did this on Windows 7 users and also on my computer which is running Windows XP
Using AlockoutXP (for Windows XP) instead of Alockout (for Windows 2000) which mentioned in the article and install AlockoutXP in on both Windows 7 (32b/64b) and Windows XP.
1. First I copy alockout.dll to C:\Windows\System32 (same for all OS)
2. Run appinit.reg then double check my regedit is indeed added with value "AppInit_DLLs"="alockout.d
3. Restart the computer.
I check my XP computer and find out there is a alockout.txt
then I check the Windows 7 computer and find out there isn't any alockout.txt for me to check after 1 particular account was lockout.
Just want to confirm the alockout can run on Windows 7?
QUOTED FROM http://www.windowsecurity.com/articles/implementing-troubleshooting-account-lockout.html
ALockout.dll
This tool creates a log file that can help you diagnose the cause of account lockout problems. Extract the files from ALockout.zip (for Windows 2000) or AlockoutXP.zip (for Windows XP) and copy them the computer experiencing the lockout problems (usually a user's workstation). Copy ALockout.dll to the System32 directory and double-click on Appinit.reg to register the DLL. Then restart the machine and when the lockout problem happens again you can view the log file %WinDir%\debug\ALockout.tx
Using AlockoutXP (for Windows XP) instead of Alockout (for Windows 2000) which mentioned in the article and install AlockoutXP in on both Windows 7 (32b/64b) and Windows XP.
1. First I copy alockout.dll to C:\Windows\System32 (same for all OS)
2. Run appinit.reg then double check my regedit is indeed added with value "AppInit_DLLs"="alockout.d
3. Restart the computer.
I check my XP computer and find out there is a alockout.txt
then I check the Windows 7 computer and find out there isn't any alockout.txt for me to check after 1 particular account was lockout.
Just want to confirm the alockout can run on Windows 7?
QUOTED FROM http://www.windowsecurity.com/articles/implementing-troubleshooting-account-lockout.html
ALockout.dll
This tool creates a log file that can help you diagnose the cause of account lockout problems. Extract the files from ALockout.zip (for Windows 2000) or AlockoutXP.zip (for Windows XP) and copy them the computer experiencing the lockout problems (usually a user's workstation). Copy ALockout.dll to the System32 directory and double-click on Appinit.reg to register the DLL. Then restart the machine and when the lockout problem happens again you can view the log file %WinDir%\debug\ALockout.tx
Looks like this is not supported anymore in Windows 7
DLLs were valid only on 2000/XP/2003
So, there is no tool in this tool set for Windows 7
What a shame :/
Krzysztof
DLLs were valid only on 2000/XP/2003
So, there is no tool in this tool set for Windows 7
What a shame :/
Krzysztof
ASKER
oh no !!
Then the only hard way I have are to check all the audit log ???
any other way ?
I am wondering does my AD account has some conflict with my Exchange Online account.
My Exchange Online (Office 365) doesn't sync with my AD account. But both are using identical username.. For example, my AD account is admin@test.com and my email will be the same.
So will the Store Credentials somehow having conflict with the Exchange Online email account with my AD account ?
Then the only hard way I have are to check all the audit log ???
any other way ?
I am wondering does my AD account has some conflict with my Exchange Online account.
My Exchange Online (Office 365) doesn't sync with my AD account. But both are using identical username.. For example, my AD account is admin@test.com and my email will be the same.
So will the Store Credentials somehow having conflict with the Exchange Online email account with my AD account ?
Hm, i don't know that as I have no experience with Office365 :/ sorry
But yes, you need to review all security logs. However, EventcombMT.exe from Account Lockout tools allows you to review all security logs on all Domain Controllers
Krzysztof
But yes, you need to review all security logs. However, EventcombMT.exe from Account Lockout tools allows you to review all security logs on all Domain Controllers
Krzysztof
ASKER
Thanks Krzysztof.. Will try the EventcombMT.exe later after I confirm whether did the Office365 is having conflict with my AD account.
ASKER
Just confirm that after the users changed their Office 365 Exchange Online password to match their AD account, the random lockout issue stop.
Now looking into the Windows Credential on how can I solve the issue.
I need any hint or advise on this if any. Thank you in advance !
Now looking into the Windows Credential on how can I solve the issue.
I need any hint or advise on this if any. Thank you in advance !
Are you using Windows Credential on machines for password store ?
I would not used that because when you forget to update password there, it might cause this issue with account lockout
Krzysztof
I would not used that because when you forget to update password there, it might cause this issue with account lockout
Krzysztof
ASKER
My users are quite lazy. So they will always "Remember my password" when Outlook (Exchange Online) prompt them to key in the password. After that it will save into the Windows Credentials.
You need to deploy information that they need to take care in this situation to update Windows credentials or their account would be locked because of inproper password or just disallow using Windows Credential :) and use other SSO software which is much more flexible in configuration
Krzysztof
Krzysztof
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
NA
ASKER
NA
http://www.microsoft.com/en-us/download/details.aspx?id=18465
and try to track that information using section "Troubleshooting Account Lockout" at
http://www.windowsecurity.com/articles/implementing-troubleshooting-account-lockout.html
Regards,
Krzysztof