Solved

AD Account Lockout Source

Posted on 2014-01-03
5
3,417 Views
Last Modified: 2014-03-28
Hi-

Could somebody recommend a good tool for tracing the source of active directory account lockouts? We have a number of users who’s accounts are randomly getting locked I’m guessing as a result of a legacy login somewhere that we can’t trace

Thanks
0
Comment
Question by:paullord
5 Comments
 
LVL 4

Accepted Solution

by:
Pradeep VIshwakarma earned 500 total points
ID: 39753311
u can use run LockoutStatus.exe on domain controller to identify account lockout issue. and use this below link

http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
0
 
LVL 6

Expert Comment

by:Alan Gunn
ID: 39753475
We get  a lot of these problems for admin users who use rdp to connect to servers and then just close the window when they are done.

I use lockoutstatus to identify the exact time and DC on which the lockout occurred.In multiple DC configurations the event will be recorded on the DC which processed teh bad password event and also on the PDC emulator. look for the latest bad password and if it occurred  only on the PDC then it was created there. If it is also logged on another DC then it was processed on that DC.

look on the DC which processed the event, look in the security event log and filter it for events that happened at the exact time of the bad password.

To do this select custom time range and put the exact time for start and end times.

The machine name or IP will be recorded in the error.

Hope this helps.

TRM
0
 
LVL 3

Expert Comment

by:Detlef001
ID: 39753661
Yeah you can have a look for these application for the same.

First please go for an ADAuditApplication.

And second you can go for the Netwrix lock out examiner tool also for the result.

http://www.netwrix.com/top_7_freeware_tools.html?source=productsmenu

Thanks.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39755715
If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx


You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question