Solved

Reason for event 4740 (user account was locked out)

Posted on 2013-06-26
8
5,770 Views
Last Modified: 2013-07-05
In an SBS 2008 domain I have a user with a laptop (user in AD, laptop not in domain) who aboout every 6 weeks gets locked out.

How can I find out which behaviour / script causes this lockout? The user assures that he did not login with wrong password.

Many thanks - Michael
0
Comment
Question by:sg08234
8 Comments
 
LVL 11

Assisted Solution

by:mcnute
mcnute earned 84 total points
ID: 39277318
You can increase the level of diagnostic logging described here to find out why:

http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 9

Assisted Solution

by:VirastaR
VirastaR earned 83 total points
ID: 39277324
Hi,

Here is bunch of things you can try..

Account lockout
http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout

Hope that helps :)
0
 
LVL 79

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 83 total points
ID: 39277420
You've use the lockout tools http://www.microsoft.com/en-us/download/details.aspx?id=18465  to diagnose the situation..  Could be a tablet/smart phone that causes it.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 2

Author Comment

by:sg08234
ID: 39277474
ve3ofa:
ALockout.dll? (On the client computer, helps determine a process or application that is sending wrong credentials.) --> Does it run on Vista?

virastar:
I'll give the tools from    http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout    a chance (next monday when I am with the respective user and get hold on his laptop)

mcnute:
Which level do you recommend in my case? Edit registry?

Many thanks to all - Michael
0
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 83 total points
ID: 39277558
use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

http://www.windowstricks.in/2009/07/account-lockout.html
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 83 total points
ID: 39277580
Hi,

Simple way to do is that can use lockoutstatus tool, can download from microsoft site.
Or

Can perform below steps,

Step1: dsquery user -name "logonID"

Replcate logonID with user ID & execute the above command. You'll get the object "DNPATH" then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt  then navigate to c->temp->meta.txt & search for keyword "lockout" then,

you'll be able to find the DC name in the same line in which the lockout is initiated. Login to the DC and search in security log for event id 4740 if its WIN2008 server else 644 if its win2003.

Share the results..,
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 84 total points
ID: 39277657
Can you post the event details.In the event itself check for callermachine name.This could be the culprint.

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

See this tool too:http://www.netwrix.com/account_lockout_examiner.html
0
 
LVL 2

Author Closing Comment

by:sg08234
ID: 39303479
I now implemented access to network shares into login script and hope this helps.

Thanks to all - Michael
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question