Solved

Reason for event 4740 (user account was locked out)

Posted on 2013-06-26
8
6,101 Views
Last Modified: 2013-07-05
In an SBS 2008 domain I have a user with a laptop (user in AD, laptop not in domain) who aboout every 6 weeks gets locked out.

How can I find out which behaviour / script causes this lockout? The user assures that he did not login with wrong password.

Many thanks - Michael
0
Comment
Question by:sg08234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 11

Assisted Solution

by:mcnute
mcnute earned 84 total points
ID: 39277318
You can increase the level of diagnostic logging described here to find out why:

http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 9

Assisted Solution

by:VirastaR
VirastaR earned 83 total points
ID: 39277324
Hi,

Here is bunch of things you can try..

Account lockout
http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout

Hope that helps :)
0
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 83 total points
ID: 39277420
You've use the lockout tools http://www.microsoft.com/en-us/download/details.aspx?id=18465  to diagnose the situation..  Could be a tablet/smart phone that causes it.
0
Guide to Performance: Optimization & Monitoring

Nowadays, monitoring is a mixture of tools, systems, and codes—making it a very complex process. And with this complexity, comes variables for failure. Get DZone’s new Guide to Performance to learn how to proactively find these variables and solve them before a disruption occurs.

 
LVL 2

Author Comment

by:sg08234
ID: 39277474
ve3ofa:
ALockout.dll? (On the client computer, helps determine a process or application that is sending wrong credentials.) --> Does it run on Vista?

virastar:
I'll give the tools from    http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout    a chance (next monday when I am with the respective user and get hold on his laptop)

mcnute:
Which level do you recommend in my case? Edit registry?

Many thanks to all - Michael
0
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 83 total points
ID: 39277558
use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

http://www.windowstricks.in/2009/07/account-lockout.html
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 83 total points
ID: 39277580
Hi,

Simple way to do is that can use lockoutstatus tool, can download from microsoft site.
Or

Can perform below steps,

Step1: dsquery user -name "logonID"

Replcate logonID with user ID & execute the above command. You'll get the object "DNPATH" then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt  then navigate to c->temp->meta.txt & search for keyword "lockout" then,

you'll be able to find the DC name in the same line in which the lockout is initiated. Login to the DC and search in security log for event id 4740 if its WIN2008 server else 644 if its win2003.

Share the results..,
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 84 total points
ID: 39277657
Can you post the event details.In the event itself check for callermachine name.This could be the culprint.

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

See this tool too:http://www.netwrix.com/account_lockout_examiner.html
0
 
LVL 2

Author Closing Comment

by:sg08234
ID: 39303479
I now implemented access to network shares into login script and hope this helps.

Thanks to all - Michael
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question