Solved

Account Lockout  - How to Find Application or Service Causing Lockout

Posted on 2015-02-10
18
158 Views
Last Modified: 2016-11-23
Hello Experts,

I am having an issue with one user that is continuously locked out several times a day. I have used LockOutStatus to determine the DC that is locking the user and found the Event Log that confirmed that it is getting locked from his laptop. The user has the right credentials but something on his PC is using stale credentials. How do i determine what it is?

In researching I cam across ALockout.dll but that does not work with Windows 7/8. How do i figure this out?

Environment:
2008R2 Domain and functional level.
Three DC . Only two get bad password counts even when the user is at the other site (tells me that it may be something that authenticates over the internet to our main-site)
User is on windows 8.1 dell laptop
0
Comment
Question by:evengeekier
  • 8
  • 5
  • 2
  • +2
18 Comments
 
LVL 20

Expert Comment

by:Radhakrishnan Rajayyan
ID: 40600704
Hi,

I would suggest to use this MS tool to find out the problematic user and fix the issue http://www.microsoft.com/en-in/download/details.aspx?id=18465
0
 

Author Comment

by:evengeekier
ID: 40600716
Hello Radhakrishnan Rajayyan,

I know who the user is and that the lockout is originating from his laptop. What i cant figure out is what application or service is causing the lockout. I have cleared the Credential Manager redid his outlook profile etc. finding the specific app/service is what i am trying to trace. I have used the tools you linked to but as far as i see none find the offending app/service that was what aLockout.dll used to do.
0
 
LVL 14

Expert Comment

by:Geisrud
ID: 40600803
I used the below linked article to resolve my own issue very recently.

https://social.technet.microsoft.com/Forums/windows/en-US/e1ef04fa-6aea-47fe-9392-45929239bd68/securitykerberos-event-id-14-credential-manager-causes-system-to-login-to-network-with-invalid?forum=w7itprosecurity

In my case, there was a cached credential (that didn't show up in cached credential manager) that was locking my account.  Since you already know where the problem is originating, check the system logs for clues as to the source.  Filter for event id #14 to start.
0
 
LVL 20

Expert Comment

by:Radhakrishnan Rajayyan
ID: 40600833
Hi,

Is there any mapped drive on that laptop? if so, disconnect that and see it still lockout? Also, temporarily disable the anti virus software and monitor the situation.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40600936
Typical lockouts happen in the following areas
- service account cached passwords
- Outlook Cached Password
- ActiveSync on smart phones
- scheduled tasks running with cached password
- network drives

I personally would download and install AD Audit Plus from ManageEngine. You can use a fully featured trial for 30 days. It will pick up exactly where the account is locked out. Probably getting locked out from another source if the above have been confirmed.

http://www.manageengine.com/products/active-directory-audit/download.html

Will.
0
 

Author Comment

by:evengeekier
ID: 40600983
Geisrud- Trying your suggestion, just waiting on the user to access laptop. Will report back.

Will Szymkowski - I checked all those minus the service accounts. Where is AD Audit installed on the DC or the offending computer?

Thank you.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40601028
You install AD Audit on a memeber server (not a DC) or even on a Windows 7 machine. This is a web interface GUI which grabs the logs from all of the domain controllers and provides multiple different views to show where an account is being locked out. It also has many more features as well but the account lockout is one of them.

Make sure that you have your Auditing enabled on your default domain controllers policy.

Will.
0
 

Author Comment

by:evengeekier
ID: 40603494
Geisrud- Tried your suggestions. Still getting lockouts.

Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

Any other suggestions are welcome.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40603527
Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

This will provide everything you need to track down where the account is locking out, why the account is locking out (bad password/account disbaled/etc) and also tell you the machine name and IP.

As long as you have your Auditing enabled on the Default Domain Controllers Policy it will collect/gather all of the logs and present them in a web based fashion.

Will.
0
 

Author Comment

by:evengeekier
ID: 40603757
I installed the software ADAudit Plus. I have the audit policies already in place. I go to Reports| Log On Failures based on users

Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

I requested a support call from ADAudit Plus. If this works they have a new Pro Edition customer.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40603781
Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

AD Accounts (when the policy is enabled) only locks out after consecutive number of attempts. However, if you have auditing enabled (as you stated you have) the logs have probably got overwritten, which is why you are not seeing the data in AD Audit Plus. If the entry is no longer in the logs then it will not be presented on AD Audit Plus.

Another thing I would suggest is making sure that ALL of your domain controllers are added to AD Audit. I say this because a user could authenticate to multiple DC's depending on how your Sites and Services are configured. Adding all of them is recommended to get all of the info.

Will.
0
 

Author Comment

by:evengeekier
ID: 40604376
I used the software today. Found a task that was set and deleted it and thought that was my issue but it was not. The user got locked out again so i went to ADAudit pulled the reports but the lockout was not listed.

I called AdPlus they reviewed the the eventlogs manually and still the new lock out was not listed in the eventlogs! ADPlus reviewed the audit policies and confirmed they were correct.

Why would that lock out not log or the 15 failed attempts? Another interesting fact the bad password count goes up on 2 DC at the same time (same site) and never on my remote site DC even if he is in the remote site.

Any other suggestion out there?

Thank you,
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40604390
Have you increased the log file size on the domain controller? Also what is your polling interval for AD Audit to Poll the DC's logs? Have you added all the DC's in the polling section of the Web Interface?

I have mine set to query the DC's every 5 minutes.

Will.
0
 

Author Comment

by:evengeekier
ID: 40604405
The log size is set at 131MB. We are small environment 55 users. AD+ is set to 'Real Time' and all three of my DC are listed in AD+
0
 

Author Comment

by:evengeekier
ID: 40618563
The lockouts continue and are not logged on the DC? Is it time to bite the bullet and call Microsoft?
0
 

Accepted Solution

by:
evengeekier earned 0 total points
ID: 40776200
I recreated the profile  on the PC and that solved the issue. Never figured out what was trying to login.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40859168
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now