Solved

AD Account Lockout Source

Posted on 2014-01-03
5
3,063 Views
Last Modified: 2014-03-28
Hi-

Could somebody recommend a good tool for tracing the source of active directory account lockouts? We have a number of users who’s accounts are randomly getting locked I’m guessing as a result of a legacy login somewhere that we can’t trace

Thanks
0
Comment
Question by:paullord
5 Comments
 
LVL 4

Accepted Solution

by:
Pradeep VIshwakarma earned 500 total points
ID: 39753311
u can use run LockoutStatus.exe on domain controller to identify account lockout issue. and use this below link

http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
0
 
LVL 6

Expert Comment

by:Alan Gunn
ID: 39753475
We get  a lot of these problems for admin users who use rdp to connect to servers and then just close the window when they are done.

I use lockoutstatus to identify the exact time and DC on which the lockout occurred.In multiple DC configurations the event will be recorded on the DC which processed teh bad password event and also on the PDC emulator. look for the latest bad password and if it occurred  only on the PDC then it was created there. If it is also logged on another DC then it was processed on that DC.

look on the DC which processed the event, look in the security event log and filter it for events that happened at the exact time of the bad password.

To do this select custom time range and put the exact time for start and end times.

The machine name or IP will be recorded in the error.

Hope this helps.

TRM
0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39753661
Yeah you can have a look for these application for the same.

First please go for an ADAuditApplication.

And second you can go for the Netwrix lock out examiner tool also for the result.

http://www.netwrix.com/top_7_freeware_tools.html?source=productsmenu

Thanks.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39755715
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx


You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now