Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

AD Account Lockout Source

Posted on 2014-01-03
5
Medium Priority
?
4,387 Views
Last Modified: 2014-03-28
Hi-

Could somebody recommend a good tool for tracing the source of active directory account lockouts? We have a number of users who’s accounts are randomly getting locked I’m guessing as a result of a legacy login somewhere that we can’t trace

Thanks
0
Comment
Question by:paullord
4 Comments
 
LVL 4

Accepted Solution

by:
Pradeep VIshwakarma earned 2000 total points
ID: 39753311
u can use run LockoutStatus.exe on domain controller to identify account lockout issue. and use this below link

http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
0
 
LVL 6

Expert Comment

by:Alan Gunn
ID: 39753475
We get  a lot of these problems for admin users who use rdp to connect to servers and then just close the window when they are done.

I use lockoutstatus to identify the exact time and DC on which the lockout occurred.In multiple DC configurations the event will be recorded on the DC which processed teh bad password event and also on the PDC emulator. look for the latest bad password and if it occurred  only on the PDC then it was created there. If it is also logged on another DC then it was processed on that DC.

look on the DC which processed the event, look in the security event log and filter it for events that happened at the exact time of the bad password.

To do this select custom time range and put the exact time for start and end times.

The machine name or IP will be recorded in the error.

Hope this helps.

TRM
0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39753661
Yeah you can have a look for these application for the same.

First please go for an ADAuditApplication.

And second you can go for the Netwrix lock out examiner tool also for the result.

http://www.netwrix.com/top_7_freeware_tools.html?source=productsmenu

Thanks.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39755715
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx


You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question