Solved

AD Account Lockout Source

Posted on 2014-01-03
5
3,493 Views
Last Modified: 2014-03-28
Hi-

Could somebody recommend a good tool for tracing the source of active directory account lockouts? We have a number of users who’s accounts are randomly getting locked I’m guessing as a result of a legacy login somewhere that we can’t trace

Thanks
0
Comment
Question by:paullord
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 4

Accepted Solution

by:
Pradeep VIshwakarma earned 500 total points
ID: 39753311
u can use run LockoutStatus.exe on domain controller to identify account lockout issue. and use this below link

http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
0
 
LVL 6

Expert Comment

by:Alan Gunn
ID: 39753475
We get  a lot of these problems for admin users who use rdp to connect to servers and then just close the window when they are done.

I use lockoutstatus to identify the exact time and DC on which the lockout occurred.In multiple DC configurations the event will be recorded on the DC which processed teh bad password event and also on the PDC emulator. look for the latest bad password and if it occurred  only on the PDC then it was created there. If it is also logged on another DC then it was processed on that DC.

look on the DC which processed the event, look in the security event log and filter it for events that happened at the exact time of the bad password.

To do this select custom time range and put the exact time for start and end times.

The machine name or IP will be recorded in the error.

Hope this helps.

TRM
0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39753661
Yeah you can have a look for these application for the same.

First please go for an ADAuditApplication.

And second you can go for the Netwrix lock out examiner tool also for the result.

http://www.netwrix.com/top_7_freeware_tools.html?source=productsmenu

Thanks.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39755715
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx


You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question