Solved

Reason for event 4740 (user account was locked out)

Posted on 2013-06-26
8
5,435 Views
Last Modified: 2013-07-05
In an SBS 2008 domain I have a user with a laptop (user in AD, laptop not in domain) who aboout every 6 weeks gets locked out.

How can I find out which behaviour / script causes this lockout? The user assures that he did not login with wrong password.

Many thanks - Michael
0
Comment
Question by:sg08234
8 Comments
 
LVL 11

Assisted Solution

by:mcnute
mcnute earned 84 total points
Comment Utility
You can increase the level of diagnostic logging described here to find out why:

http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
LVL 9

Assisted Solution

by:VirastaR
VirastaR earned 83 total points
Comment Utility
Hi,

Here is bunch of things you can try..

Account lockout
http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout

Hope that helps :)
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 83 total points
Comment Utility
You've use the lockout tools http://www.microsoft.com/en-us/download/details.aspx?id=18465  to diagnose the situation..  Could be a tablet/smart phone that causes it.
0
 
LVL 2

Author Comment

by:sg08234
Comment Utility
ve3ofa:
ALockout.dll? (On the client computer, helps determine a process or application that is sending wrong credentials.) --> Does it run on Vista?

virastar:
I'll give the tools from    http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout    a chance (next monday when I am with the respective user and get hold on his laptop)

mcnute:
Which level do you recommend in my case? Edit registry?

Many thanks to all - Michael
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 13

Assisted Solution

by:Jaihunt
Jaihunt earned 83 total points
Comment Utility
use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

http://www.windowstricks.in/2009/07/account-lockout.html
0
 
LVL 5

Assisted Solution

by:vin_shooter
vin_shooter earned 83 total points
Comment Utility
Hi,

Simple way to do is that can use lockoutstatus tool, can download from microsoft site.
Or

Can perform below steps,

Step1: dsquery user -name "logonID"

Replcate logonID with user ID & execute the above command. You'll get the object "DNPATH" then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt  then navigate to c->temp->meta.txt & search for keyword "lockout" then,

you'll be able to find the DC name in the same line in which the lockout is initiated. Login to the DC and search in security log for event id 4740 if its WIN2008 server else 644 if its win2003.

Share the results..,
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 84 total points
Comment Utility
Can you post the event details.In the event itself check for callermachine name.This could be the culprint.

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

See this tool too:http://www.netwrix.com/account_lockout_examiner.html
0
 
LVL 2

Author Closing Comment

by:sg08234
Comment Utility
I now implemented access to network shares into login script and hope this helps.

Thanks to all - Michael
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now