account lockouts

number of users always getting locked out
always same users
have enabled netlogon reporting in c:\windows\debug
checking security event ids 4740 & 4625
the 4740 event id always has the computer name as blank
the 4625 event ids have the source computer name, not sure if its a coicidence but
the souce names are the 2 IAS Radius servers we have
the netlogon report looks like this
09/19 16:23:02 [LOGON] domain: SamLogon: Transitive Network logon of domain\username from  (via server) Returns 0xC0000234
and a large amount of  0xc000006A

any idea how i can figure out what is causing these lockouts
strange thing is some days it happens 10 times a day
and some days not at all
some days just in morning
LVL 1
dougdogAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Radhakrishnan RSenior Technical LeadCommented:
Hi,

It could be multiple reasons;

I would suggest to perform a full virus scan on the affected users machine (any malicious removal tool) and see any infections.

Also, check whether any mapped drives which would have mapped on these machines, any applications using these accounts etc..
0
Will SzymkowskiSenior Solution ArchitectCommented:
Depending on your environment this can get tricky to see exactly what is happening. If you have multiple DC's in your environment any users can be locked out on that respective DC. When an user is locked out it only shows up on the DC that the account was locked out on. This is hard becuase the logs continue to overwite themselves due to constent security.

Common lockouts happen due to Outlook password caching and or RDP sessions after a user has changed their password.

I would recommend using ADAudit Plus for this as it will audit basically eveyrthing that happens in your AD environment. It's not free but reasonably priced. They have a fully featured version available for 30 days.

Here is a PAQ for this software: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28241804.html

Thanks

Will.
0
arnoldCommented:
These might be IAS originating lockout events.

Look at the login type.
Where do you have user auth via radius? VPN concentrators?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

SandeshdubeySenior Server EngineerCommented:
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

As you have narrowed down that 2 IAS Radius servers is cauisng the issue.Scan the servers and update the AV defination and install latest SP and hofix.


There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

=====================
0
dougdogAuthor Commented:
we use radius for
vpn
wireless access
cisco access etc
0
SreRajCommented:
Hi,

It could be that user has changed account password but VPN Client is not updated with the new password. So VPN Client will try to connect using the old password and will create the events thru RADIUS and eventually account will get locked out.
0
dougdogAuthor Commented:
there must be a way to pinpoint the exact offender
0
SreRajCommented:
Are you looking to findout the name of the machine from which logon attempts are made?
0
Pankaj_401Commented:
Log on to your DC -> Control Panel -> Administratoive Tools -> Event Viewer

Create a custom view on your DC to filter out just the lockout events

Logged = Any time

By log = Security

Event ID's = 4740

This should show you all lockout events on your DC and show you which PC is doing the locking (Caller Computer Name)

You can Microsoft Account Lockout Tools - What get's used in the big leagues or go for 3rd party utility as well
http://www.microsoft.com/en-us/download/details.aspx?id=18465
http://www.auditactivedirectory.com/
0
arnoldCommented:
The accounts that get locked out, check whether the users have recently changed their passwords.
If they have, advise them to make sure their VPN setup at home is not set to auto-i.e. they saved the VPN credentials.
Similarly with the wireless.  They may have it saved and when they get into the office, one of the devices they have/use with the office wireless connection is locking them out.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.