Solved

Account lockout via Smartphones every morning

Posted on 2013-11-20
4
304 Views
Last Modified: 2014-01-03
A handful of my users (of course they are executive level) are experiencing a rather strange issue. It appears that every morning their AD accounts are getting locked out. This seems to happen around the same time every morning and the reason the user knows is that their Smartphone which recieves company emails starts asking for the username/password at which point they attempt to enter it and it either works or the account is locked and someone has to manually unlock the account.

We are running a 2008 Active Directory Domain and Exchange 2010. Looking for suggestions on how I can track down the issue that is causing these account lockouts every morning.
0
Comment
Question by:dowhatyoudo22
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 39662615
The manual way to do this is to check the Security Logs on the Domain Controllers. This can be a daunting task if you have multiple DC's in your environment (which most businesses do). I would highly recommend downloading and installed ADAuditPlus by Manage Engine.

This is not a free product but they do have a fully featured trial for 30 days. It is very inexpensive for the value i beleive it brings to monitor AD.

ADAudit Plus - http://www.manageengine.com/products/active-directory-audit/

Will.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39665090
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring


Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541


Sometimes the network trace(Wireshark tool) will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39665174
lockoutstatus.exe can help you or we usually ask our network guys to track MAC ID of the device sending bad password on Cisco ACS server.
0
 

Author Closing Comment

by:dowhatyoudo22
ID: 39754175
This tool worked well. I was able to pin the problem to a third DC that was out of sync with the other two DCs. Once I corrected this issue the accounts stopped locking up.

Thanks!
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question