Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Reason for event 4740 (user account was locked out)

Posted on 2013-06-26
8
Medium Priority
?
6,519 Views
Last Modified: 2013-07-05
In an SBS 2008 domain I have a user with a laptop (user in AD, laptop not in domain) who aboout every 6 weeks gets locked out.

How can I find out which behaviour / script causes this lockout? The user assures that he did not login with wrong password.

Many thanks - Michael
0
Comment
Question by:sg08234
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 11

Assisted Solution

by:mcnute
mcnute earned 252 total points
ID: 39277318
You can increase the level of diagnostic logging described here to find out why:

http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 9

Assisted Solution

by:VirastaR
VirastaR earned 249 total points
ID: 39277324
Hi,

Here is bunch of things you can try..

Account lockout
http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout

Hope that helps :)
0
 
LVL 83

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 249 total points
ID: 39277420
You've use the lockout tools http://www.microsoft.com/en-us/download/details.aspx?id=18465  to diagnose the situation..  Could be a tablet/smart phone that causes it.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 2

Author Comment

by:sg08234
ID: 39277474
ve3ofa:
ALockout.dll? (On the client computer, helps determine a process or application that is sending wrong credentials.) --> Does it run on Vista?

virastar:
I'll give the tools from    http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout    a chance (next monday when I am with the respective user and get hold on his laptop)

mcnute:
Which level do you recommend in my case? Edit registry?

Many thanks to all - Michael
0
 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 249 total points
ID: 39277558
use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

http://www.windowstricks.in/2009/07/account-lockout.html
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 249 total points
ID: 39277580
Hi,

Simple way to do is that can use lockoutstatus tool, can download from microsoft site.
Or

Can perform below steps,

Step1: dsquery user -name "logonID"

Replcate logonID with user ID & execute the above command. You'll get the object "DNPATH" then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt  then navigate to c->temp->meta.txt & search for keyword "lockout" then,

you'll be able to find the DC name in the same line in which the lockout is initiated. Login to the DC and search in security log for event id 4740 if its WIN2008 server else 644 if its win2003.

Share the results..,
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 252 total points
ID: 39277657
Can you post the event details.In the event itself check for callermachine name.This could be the culprint.

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

See this tool too:http://www.netwrix.com/account_lockout_examiner.html
0
 
LVL 2

Author Closing Comment

by:sg08234
ID: 39303479
I now implemented access to network shares into login script and hope this helps.

Thanks to all - Michael
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question