Solved

Locked account, help finding source

Posted on 2013-10-30
5
2,407 Views
Last Modified: 2013-11-05
Hi

One of our users is often experiencing that his account is locked, we have attempted to locate the source of this, without luck.

Currently running a simple function in PowerShell which goes through the security log.

Function Get-LockedOutInfo ([String]$user) {

Get-EventLog -LogName Security | where-object {$_.EntryType -match "FailureAudit" -and $_.message -match $user} | Sort timegenerated | FL

}


Running the function it tells us that the failed attempts originate from our TMG server.

Filtering the log on TMG server, with only these settings:
web proxy or firewall
Client username
Last day

No failed attempts is showing, not one.
In other similar cases we have been able to see the failure attempts in the TMG log.

Does any have any tips on how follow up on this, to try to locate the source for this ?


Example from the security log:

Index              : 82577185
EntryType          : FailureAudit
InstanceId         : 4625
Message            : An account failed to log on.

                     Subject:
                         Security ID:        S-1-0-0
                         Account Name:        -
                         Account Domain:        -
                         Logon ID:        0x0

                     Logon Type:            3

                     Account For Which Logon Failed:
                         Security ID:        S-1-0-0
                         Account Name:        user.name
                         Account Domain:        domain.com

                     Failure Information:
                         Failure Reason:        %%2313
                         Status:            0xc000006d
                         Sub Status:        0xc000006a

                     Process Information:
                         Caller Process ID:    0x0
                         Caller Process Name:    -

                     Network Information:
                         Workstation Name:    TMGSERVER
                         Source Network Address:    TMG.IP
                         Source Port:        xxxx

                     Detailed Authentication Information:
                         Logon Process:        NtLmSsp
                         Authentication Package:    NTLM
                         Transited Services:    -
                         Package Name (NTLM only):    -
                         Key Length:        0

                     This event is generated when a logon request fails. It is generated on the computer where access was attempted.

                     The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

                     The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

                     The Process Information fields indicate which account and process on the system requested the logon.

                     The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

                     The authentication information fields provide detailed information about this specific logon request.
                         - Transited services indicate which intermediate services have participated in this logon request.
                         - Package name indicates which sub-protocol was used among the NTLM protocols.
                         - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Category           : (12544)
CategoryNumber     : 12544
ReplacementStrings : {S-1-0-0, -, -, 0x0...}
Source             : Microsoft-Windows-Security-Auditing
TimeGenerated      : 30.10.2013 11:49:25
TimeWritten        : 30.10.2013 11:49:25
UserName           :
0
Comment
Question by:Lenblock
5 Comments
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 39611415
Use AD Audit Plus to find out where the account is locking out. It's not free but they have a 30 day trial which is fully featured.

AD Audit Plus - http://www.manageengine.com/products/active-directory-audit/

You will find where the account is locking out and from what machine as soon as you install this in your environment.

Will.
0
 
LVL 24

Assisted Solution

by:Sandeshdubey
Sandeshdubey earned 250 total points
ID: 39612142
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.It seems from the event TMGSERVER is causing the isssue.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39612909
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices

Follow this Expert-Exchange thread in case: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
Or if you want to go with any commercial product you can also look at this utility to know when, where and what account has locked : http://www.auditactivedirectory.com/
0
 

Accepted Solution

by:
Lenblock earned 0 total points
ID: 39614175
Hi

We found the solution.

It was the users local account causing the problem. A part of their own software was most likely attempting to log on a service with an older password with his account.

He changed his local security policy:
Do not allow storage of passwords and credential

Problem solved for now.
Will continue to find the real source.

Thanks for the suggestions.

Regards.
0
 

Author Closing Comment

by:Lenblock
ID: 39623758
The reason for the locked out account, was caused by the users own software.
0

Join & Write a Comment

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now