Solved

ad account locking

Posted on 2014-07-18
5
358 Views
Last Modified: 2014-07-28
we have a couple of users accounts locking automatically, we think caused by one of our 3rd party software applications.
The issue is that the account is showing locked on our PDC, but the other 3x DCs are not showing this,.

Ideas?
0
Comment
Question by:CHI-LTD
5 Comments
 
LVL 29

Assisted Solution

by:becraig
becraig earned 167 total points
ID: 40205774
This seems like an issue with replication not occurring as expected, so the account state is not yet replicated out across the AD.  

Here is some valuable reading:
http://blogs.technet.com/b/askds/archive/2013/10/01/locked-or-not-demystifying-the-ui-behavior-for-account-lockouts.aspx

Do you know what application it is that is causing the failed logins ?
0
 
LVL 38

Assisted Solution

by:Jim P.
Jim P. earned 166 total points
ID: 40205780
Pick one of the DCs to make the "PDC". (Yes, know they longer exist.) Set that DC up  to be the authoritative time server from the internet. Then get the other DCs to set their time from the PDC. And it helps if you can push that to all the clients. Or at least use the local DC t set their time.

At one point we had a DC at our DR site. It was running 15 minutes ahead of our PDC at the main site. So it kept bringing back the server that we were trying to replace. Once we fixed the time on the remote DC the issue went away.
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40208445
all the clocks/time is okay.

we think its our mimecast app (which uses LDAP) to authenticate with them.  i cant see how this can be locking our local AD account), but sure this is the problem..
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 167 total points
ID: 40210929
Download the Account Lockout and Management tools from Microsoft
http://www.microsoft.com/en-us/download/details.aspx?id=18465

See some of the features below:
ALTools.exe includes:

AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user's password on a domain controller in that user's site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.

Caution: Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.
ALoInfo.exe. Displays all user account names and the age of their passwords.

EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.

NLParse.exe. Used to extract and display desired entries from the Netlogon log files.

Accounts that are locked on one DC and not the other could indicate replication issues or high replication times,
Either way, you can run an AD health check by running "dcdiag /e /v /f:dcdiag.txt".

http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx
Post the logfile if you need help understanding anything there
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 40223645
combination of the ip address being blocked and an issue with certificates at the 3rd party end.  Still find it strange that our internal account is/was being locked when the 3rd party software was accessing the 3rd party cloud/website...
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question