Account Lockout Assistance?

Hi All,

I have a user that is continuously getting locked out. The DCs are showing it getting locked out on the Exchange Server.

Here's the problem, the security log shows the user being locked out like this;

Workstation Name:          A.B.C.D     <- Exchange Server IP
Source Network Address:     E.F.G.H     <- Our Load Balancer IP

So we are looking for a way to locate more info on the device thats causing the lockout. Everything that passes thru the LB before it hits the exchange server, shows up on the Exchange server logs from the LB's IP... Is there any NetMon or ExTra way to maybe find a MAC address of real IP of the device thats possibly causing these lockouts?
GCTTechsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Patrick BogersDatacenter platform engineer LindowsCommented:
Hi,

There is a chance a hacker/script kiddie is trying to enter OWA/RWW or similair service.
If you add an X-header-ip to the load balancer pool (the origin IP will be send along) and adjust loggin in IIS where OWA lives  (maybe you need the extended logging tool for IIS) the real address will pop up.
0
Will SzymkowskiSenior Solution ArchitectCommented:
If the users account is getting locked out from Exchange then it is probably Outlook related. Does this user use multiple computers with the Outlook client? I am think that if Outlook is opened and the user has recently changed his/her password this is a good possibility that the password has been cached in Outlook.

What I would recommend is using something like ADAudit Plus. This is not free software but they do have a trial version available (full version) for 30 days. Couldn't live without this software. It will provide all of he details on where the account is being locked out what domain controller etc.

If you have multiple DC's in your environment then it will be vary hard to figure out/track the lockout logs on the server as each of the server logs are independent from each other. ADAudit plus will grab the logs and put them in a nice web interface GUI which will help tremendously.

ADAudit Plus - http://www.manageengine.com/products/active-directory-audit/

Hope this helps
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Radhakrishnan RSenior Technical LeadCommented:
Hi,

I had faced the similar issue some times back, in my case the the affected users machine infected with virus. This you can identity by checking the audit logs, notedown the ip address, then perform a nslookup, so that you can identify the machine.

Once you found the machine, either format or perform a full virus scan. Also, change the users password.
0
Nick RhodeIT DirectorCommented:
Usually due to being signed in on multiple workstations or the users somehow cached the password on the machine.

On the user's machine (or machines) hit the windows button and type in credential manager.

See if the user has any saved passwords and remove them
0
reynoldsradissonCommented:
You may check events on both DC to cross verify the problem, If account is getting locked out then event (644 for 2003 and 4740 for 2008) is generated in security log.
Also it seems that some kind of replication issue, means the account is getting locked out by one DC but not replicating the information to the other.

Check the same using following article:

Troubleshooting Active Directory Replication Problems
http://technet.microsoft.com/en-us/library/bb727057.aspx

Moreover a same similar thread has been discussed over the same community...

Please have a look at this link also ...

http://www.experts-exchange.com/OS/Miscellaneous/Q_21859689.html


Thanks.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.