[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7069
  • Last Modified:

Reason for event 4740 (user account was locked out)

In an SBS 2008 domain I have a user with a laptop (user in AD, laptop not in domain) who aboout every 6 weeks gets locked out.

How can I find out which behaviour / script causes this lockout? The user assures that he did not login with wrong password.

Many thanks - Michael
0
sg08234
Asked:
sg08234
6 Solutions
 
mcnuteCommented:
You can increase the level of diagnostic logging described here to find out why:

http://technet.microsoft.com/en-us/library/cc961809.aspx
0
 
VirastaRUC Tech Consultant Commented:
Hi,

Here is bunch of things you can try..

Account lockout
http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout

Hope that helps :)
0
 
David Johnson, CD, MVPOwnerCommented:
You've use the lockout tools http://www.microsoft.com/en-us/download/details.aspx?id=18465  to diagnose the situation..  Could be a tablet/smart phone that causes it.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
sg08234Author Commented:
ve3ofa:
ALockout.dll? (On the client computer, helps determine a process or application that is sending wrong credentials.) --> Does it run on Vista?

virastar:
I'll give the tools from    http://social.technet.microsoft.com/Forums/windowsserver/en-US/94a7399f-7e7b-4404-9509-1e9ac08690a8/account-lockout    a chance (next monday when I am with the respective user and get hold on his laptop)

mcnute:
Which level do you recommend in my case? Edit registry?

Many thanks to all - Michael
0
 
JaihuntCommented:
use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

http://www.windowstricks.in/2009/07/account-lockout.html
0
 
vin_shooterCommented:
Hi,

Simple way to do is that can use lockoutstatus tool, can download from microsoft site.
Or

Can perform below steps,

Step1: dsquery user -name "logonID"

Replcate logonID with user ID & execute the above command. You'll get the object "DNPATH" then,

Step 2: repadmin /showmeta "DNPATH" >>c:\temp\meta.txt  then navigate to c->temp->meta.txt & search for keyword "lockout" then,

you'll be able to find the DC name in the same line in which the lockout is initiated. Login to the DC and search in security log for event id 4740 if its WIN2008 server else 644 if its win2003.

Share the results..,
0
 
SandeshdubeySenior Server EngineerCommented:
Can you post the event details.In the event itself check for callermachine name.This could be the culprint.

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

See this tool too:http://www.netwrix.com/account_lockout_examiner.html
0
 
sg08234Author Commented:
I now implemented access to network shares into login script and hope this helps.

Thanks to all - Michael
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now