Solved

AD Account Lockout Source

Posted on 2014-01-03
5
3,583 Views
Last Modified: 2014-03-28
Hi-

Could somebody recommend a good tool for tracing the source of active directory account lockouts? We have a number of users who’s accounts are randomly getting locked I’m guessing as a result of a legacy login somewhere that we can’t trace

Thanks
0
Comment
Question by:paullord
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 4

Accepted Solution

by:
Pradeep VIshwakarma earned 500 total points
ID: 39753311
u can use run LockoutStatus.exe on domain controller to identify account lockout issue. and use this below link

http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
0
 
LVL 6

Expert Comment

by:Alan Gunn
ID: 39753475
We get  a lot of these problems for admin users who use rdp to connect to servers and then just close the window when they are done.

I use lockoutstatus to identify the exact time and DC on which the lockout occurred.In multiple DC configurations the event will be recorded on the DC which processed teh bad password event and also on the PDC emulator. look for the latest bad password and if it occurred  only on the PDC then it was created there. If it is also logged on another DC then it was processed on that DC.

look on the DC which processed the event, look in the security event log and filter it for events that happened at the exact time of the bad password.

To do this select custom time range and put the exact time for start and end times.

The machine name or IP will be recorded in the error.

Hope this helps.

TRM
0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39753661
Yeah you can have a look for these application for the same.

First please go for an ADAuditApplication.

And second you can go for the Netwrix lock out examiner tool also for the result.

http://www.netwrix.com/top_7_freeware_tools.html?source=productsmenu

Thanks.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39755715
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx


You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question