AD Account Keeps Getting Locked

My own AD account keeps getting locked out.  I recently changed my password, and I'm guessing that I have my credentials saved on some device or application that I'm forgetting about and thus haven't updated.  The result being that said device or application is trying to authenticate with old credentials and locking the account when it fails.  

Please chastise me later about my own poor device management practices.

With that, how can I see what and where there authentication attempts are coming from so that I can fix the problem?  This is a Windows domain, and I can get access to pretty much whatever server resources I may need.

Thanks!
LVL 14
GeisrudSystems AdministratorAsked:
Who is Participating?
 
Rich WeisslerConnect With a Mentor Professional Troublemaker^h^h^h^h^hshooterCommented:
If you haven't already, you'll want to turn on Security Auditing on the domain controllers, then look in the security log on each of the domain controllers for your lockout event... then find the failed logins for your account just before the lockout.

That said, there is also some disagreement about whether setting Account Lockout is a good policy.  Consider disabling lockout while you fix your account, if you're the only admin... and re-establish the lockout policy when you finish, if you determine it is a policy you want to retain. (And if that is your admin account, consider a non-admin account for 'normal' tasks on things like your desktop and mobile devices.)
0
 
Mike KlineConnect With a Mentor Commented:
Also run

repadmin /showobjmeta <DCname> <"DN of your account">

Look for the originating DSA and lockout time.  Check that DC and the PDCe for event 4740

In 4740 you will notice "Caller computer name"

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740

Go investigate that box.

Thanks

Mike
0
 
GeisrudSystems AdministratorAuthor Commented:
I'll splitting points on this.  I was able to find the event I needed in the security logs on the DC.  Running the command the Mike recommended didn't get me anywhere, but event ID 4740 was they key.

Thanks to both.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.