Lenblock
asked on
Locked account, help finding source
Hi
One of our users is often experiencing that his account is locked, we have attempted to locate the source of this, without luck.
Currently running a simple function in PowerShell which goes through the security log.
Function Get-LockedOutInfo ([String]$user) {
Get-EventLog -LogName Security | where-object {$_.EntryType -match "FailureAudit" -and $_.message -match $user} | Sort timegenerated | FL
}
Running the function it tells us that the failed attempts originate from our TMG server.
Filtering the log on TMG server, with only these settings:
web proxy or firewall
Client username
Last day
No failed attempts is showing, not one.
In other similar cases we have been able to see the failure attempts in the TMG log.
Does any have any tips on how follow up on this, to try to locate the source for this ?
Example from the security log:
Index : 82577185
EntryType : FailureAudit
InstanceId : 4625
Message : An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: user.name
Account Domain: domain.com
Failure Information:
Failure Reason: %%2313
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: TMGSERVER
Source Network Address: TMG.IP
Source Port: xxxx
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Category : (12544)
CategoryNumber : 12544
ReplacementStrings : {S-1-0-0, -, -, 0x0...}
Source : Microsoft-Windows-Security -Auditing
TimeGenerated : 30.10.2013 11:49:25
TimeWritten : 30.10.2013 11:49:25
UserName :
One of our users is often experiencing that his account is locked, we have attempted to locate the source of this, without luck.
Currently running a simple function in PowerShell which goes through the security log.
Function Get-LockedOutInfo ([String]$user) {
Get-EventLog -LogName Security | where-object {$_.EntryType -match "FailureAudit" -and $_.message -match $user} | Sort timegenerated | FL
}
Running the function it tells us that the failed attempts originate from our TMG server.
Filtering the log on TMG server, with only these settings:
web proxy or firewall
Client username
Last day
No failed attempts is showing, not one.
In other similar cases we have been able to see the failure attempts in the TMG log.
Does any have any tips on how follow up on this, to try to locate the source for this ?
Example from the security log:
Index : 82577185
EntryType : FailureAudit
InstanceId : 4625
Message : An account failed to log on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: user.name
Account Domain: domain.com
Failure Information:
Failure Reason: %%2313
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: TMGSERVER
Source Network Address: TMG.IP
Source Port: xxxx
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Category : (12544)
CategoryNumber : 12544
ReplacementStrings : {S-1-0-0, -, -, 0x0...}
Source : Microsoft-Windows-Security
TimeGenerated : 30.10.2013 11:49:25
TimeWritten : 30.10.2013 11:49:25
UserName :
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The reason for the locked out account, was caused by the users own software.
• user's account in stored user name and passwords
• user's account tied to persistent mapped drive
• user's account as a service account
• user's account used as an IIS application pool identity
• user's account tied to a scheduled task
• un-suspending a virtual machine after a user's pw as changed
• Mobile devices
Follow this Expert-Exchange thread in case: http://www.experts-exchang
Or if you want to go with any commercial product you can also look at this utility to know when, where and what account has locked : http://www.auditactivedire