Account lockout via Smartphones every morning

A handful of my users (of course they are executive level) are experiencing a rather strange issue. It appears that every morning their AD accounts are getting locked out. This seems to happen around the same time every morning and the reason the user knows is that their Smartphone which recieves company emails starts asking for the username/password at which point they attempt to enter it and it either works or the account is locked and someone has to manually unlock the account.

We are running a 2008 Active Directory Domain and Exchange 2010. Looking for suggestions on how I can track down the issue that is causing these account lockouts every morning.
dowhatyoudo22Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
The manual way to do this is to check the Security Logs on the Domain Controllers. This can be a daunting task if you have multiple DC's in your environment (which most businesses do). I would highly recommend downloading and installed ADAuditPlus by Manage Engine.

This is not a free product but they do have a fully featured trial for 30 days. It is very inexpensive for the value i beleive it brings to monitor AD.

ADAudit Plus - http://www.manageengine.com/products/active-directory-audit/

Will.
0
 
SandeshdubeySenior Server EngineerCommented:
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring


Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541


Sometimes the network trace(Wireshark tool) will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
0
 
Pramod UbheCommented:
lockoutstatus.exe can help you or we usually ask our network guys to track MAC ID of the device sending bad password on Cisco ACS server.
0
 
dowhatyoudo22Author Commented:
This tool worked well. I was able to pin the problem to a third DC that was out of sync with the other two DCs. Once I corrected this issue the accounts stopped locking up.

Thanks!
0
All Courses

From novice to tech pro — start learning today.