• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2982
  • Last Modified:

Random AD Account Lockout

Hi Expert,

I am facing random AD account lockout problem. Is there any way which I can trace from the client or from the server what application are authenicating the AD which result in account lockout due to wrong password?

I am using two DCs. 1 is Windows 2008 Std R2 and another is Windows 2003 Std R2. I think the DC which always lock out the AD accounts is from 2008.

It happens 2 or 3 months back. The effected clients are Windows 7. Same users were lockout a few time per day. I think about 10 of them are effected.
0
hlmarine
Asked:
hlmarine
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
You can try downloading AL Tools
http://www.microsoft.com/en-us/download/details.aspx?id=18465

and try to track that information using section "Troubleshooting Account Lockout" at
http://www.windowsecurity.com/articles/implementing-troubleshooting-account-lockout.html

Regards,
Krzysztof
0
 
cwstad2Commented:
Have you tried the account lockout tool?

http://www.microsoft.com/en-us/download/details.aspx?id=18465
0
 
Pramod UbheCommented:
1. Run LockoutStatus.exe against the account that is frequently locking.
2. Check for the most recent bad password hit.
3. Go to the security event logs where bad passwords are reported
4. search for the Audit Failure log on the exact time shown in LockoutStatus.exe
5. That log should have a Client IP which is your target system or root cause of bad password.
6. If you want to dig further more, some times you may see a PID section which you can trace in task manager as well.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
hlmarineAuthor Commented:
Thanks for all the quick response. I have tried ALTools. Will try it thoroughly again this time.

But need to double confirm the below points. Because I read from many forum with different guides that confusing me.

1. Run LockoutStatus.exe from the client computer or any computer? I notice I can run it on my computer and select the user I want to check (example the user which is facing lockout problem).

3. Check the security event logs from the client computer or domain controller?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
AD1) Does not matter on which computer you will run it. Just specify user and the tool will discover DCs on which it was locked

AD3) DC. But for that use another AL Tool, EvencombMT it will allow to check security log of each DC

Krzysztof
0
 
hlmarineAuthor Commented:
For one part..

I need to install/register ALockout.dll on the user computer which always face bad password problem. Can it be run on Windows 7 32bits and 64bits?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
32 bit for sure as it is 32bit tool but I'm not sure if it would work with 64 bit OS (never tried that)

Just check and let us know :)

Krzysztof
0
 
hlmarineAuthor Commented:
Thanks for the fast feedback. Will try ...
0
 
hlmarineAuthor Commented:
I did this on Windows 7 users and also on my computer which is running Windows XP

Using AlockoutXP (for Windows XP) instead of Alockout (for Windows 2000) which mentioned in the article and install AlockoutXP in on both Windows 7 (32b/64b) and Windows XP.

1. First I copy alockout.dll to C:\Windows\System32 (same for all OS)
2. Run appinit.reg then double check my regedit is indeed added with value "AppInit_DLLs"="alockout.dll".
3. Restart the computer.

I check my XP computer and find out there is a alockout.txt

then I check the Windows 7 computer and find out there isn't any alockout.txt for me to check after 1 particular account was lockout.

Just want to confirm the alockout can run on Windows 7?



QUOTED FROM http://www.windowsecurity.com/articles/implementing-troubleshooting-account-lockout.html

ALockout.dll
 
This tool creates a log file that can help you diagnose the cause of account lockout problems. Extract the files from ALockout.zip (for Windows 2000) or AlockoutXP.zip (for Windows XP) and copy them the computer experiencing the lockout problems (usually a user's workstation). Copy ALockout.dll to the System32 directory and double-click on Appinit.reg to register the DLL. Then restart the machine and when the lockout problem happens again you can view the log file %WinDir%\debug\ALockout.txt to troubleshoot. Note that interpreting this log requires you understanding Netlogon logging, which is discussed in detail in the previously mentioned whitepaper.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Looks like this is not supported anymore in Windows 7
DLLs were valid only on 2000/XP/2003

So, there is no tool in this tool set for Windows 7
What a shame :/

Krzysztof
0
 
hlmarineAuthor Commented:
oh no !!

Then the only hard way I have are to check all the audit log ???

any other way ?

I am wondering does my AD account has some conflict with my Exchange Online account.
My Exchange Online (Office 365) doesn't sync with my AD account. But both are using identical username.. For example, my AD account is admin@test.com and my email will be the same.

So will the Store Credentials somehow having conflict with the Exchange Online email account with my AD account ?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hm, i don't know that as I have no experience with Office365 :/ sorry
But yes, you need to review all security logs. However, EventcombMT.exe from Account Lockout tools allows you to review all security logs on all Domain Controllers

Krzysztof
0
 
hlmarineAuthor Commented:
Thanks Krzysztof.. Will try the EventcombMT.exe later after I confirm whether did the Office365 is having conflict with my AD account.
0
 
hlmarineAuthor Commented:
Just confirm that after the users changed their Office 365 Exchange Online password to match their AD account, the random lockout issue stop.

Now looking into the Windows Credential on how can I solve the issue.

I need any hint or advise on this if any. Thank you in advance !
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Are you using Windows Credential on machines for password store ?
I would not used that because when you forget to update password there, it might cause this issue with account lockout

Krzysztof
0
 
hlmarineAuthor Commented:
My users are quite lazy. So they will always "Remember my password" when Outlook (Exchange Online) prompt them to key in the password. After that it will save into the Windows Credentials.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
You need to deploy information that they need to take care in this situation to update Windows credentials or their account would be locked because of inproper password or just disallow using Windows Credential :) and use other SSO software which is much more flexible in configuration

Krzysztof
0
 
hlmarineAuthor Commented:
Found a fix..


EXACTED FROM http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/e17c4c4c-eb10-459e-912f-9f3d9b8e0a29



If anyone else is experiencing this issue, Microsoft released the hotfix:

Outlook 2007:

http://support.microsoft.com/kb/2598366

Outlook 2010:

http://support.microsoft.com/kb/2598374

After applying the hotfix, need to add the following registry entry:

Outlook 2007:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\Security]

"DisableWebAuthenticationType"=dword:00000010

Outlook 2010

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security]

"DisableWebAuthenticationType"=dword:00000010
0
 
hlmarineAuthor Commented:
NA
0
 
hlmarineAuthor Commented:
NA
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now