Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Account Lockout  - How to Find Application or Service Causing Lockout

Posted on 2015-02-10
18
Medium Priority
?
1,074 Views
Last Modified: 2016-11-23
Hello Experts,

I am having an issue with one user that is continuously locked out several times a day. I have used LockOutStatus to determine the DC that is locking the user and found the Event Log that confirmed that it is getting locked from his laptop. The user has the right credentials but something on his PC is using stale credentials. How do i determine what it is?

In researching I cam across ALockout.dll but that does not work with Windows 7/8. How do i figure this out?

Environment:
2008R2 Domain and functional level.
Three DC . Only two get bad password counts even when the user is at the other site (tells me that it may be something that authenticates over the internet to our main-site)
User is on windows 8.1 dell laptop
0
Comment
Question by:Oscar Reyes
  • 8
  • 5
  • 2
  • +2
17 Comments
 
LVL 23

Expert Comment

by:Radhakrishnan R
ID: 40600704
Hi,

I would suggest to use this MS tool to find out the problematic user and fix the issue http://www.microsoft.com/en-in/download/details.aspx?id=18465
0
 

Author Comment

by:Oscar Reyes
ID: 40600716
Hello Radhakrishnan Rajayyan,

I know who the user is and that the lockout is originating from his laptop. What i cant figure out is what application or service is causing the lockout. I have cleared the Credential Manager redid his outlook profile etc. finding the specific app/service is what i am trying to trace. I have used the tools you linked to but as far as i see none find the offending app/service that was what aLockout.dll used to do.
0
 
LVL 14

Expert Comment

by:Geisrud
ID: 40600803
I used the below linked article to resolve my own issue very recently.

https://social.technet.microsoft.com/Forums/windows/en-US/e1ef04fa-6aea-47fe-9392-45929239bd68/securitykerberos-event-id-14-credential-manager-causes-system-to-login-to-network-with-invalid?forum=w7itprosecurity

In my case, there was a cached credential (that didn't show up in cached credential manager) that was locking my account.  Since you already know where the problem is originating, check the system logs for clues as to the source.  Filter for event id #14 to start.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 23

Expert Comment

by:Radhakrishnan R
ID: 40600833
Hi,

Is there any mapped drive on that laptop? if so, disconnect that and see it still lockout? Also, temporarily disable the anti virus software and monitor the situation.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40600936
Typical lockouts happen in the following areas
- service account cached passwords
- Outlook Cached Password
- ActiveSync on smart phones
- scheduled tasks running with cached password
- network drives

I personally would download and install AD Audit Plus from ManageEngine. You can use a fully featured trial for 30 days. It will pick up exactly where the account is locked out. Probably getting locked out from another source if the above have been confirmed.

http://www.manageengine.com/products/active-directory-audit/download.html

Will.
1
 

Author Comment

by:Oscar Reyes
ID: 40600983
Geisrud- Trying your suggestion, just waiting on the user to access laptop. Will report back.

Will Szymkowski - I checked all those minus the service accounts. Where is AD Audit installed on the DC or the offending computer?

Thank you.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40601028
You install AD Audit on a memeber server (not a DC) or even on a Windows 7 machine. This is a web interface GUI which grabs the logs from all of the domain controllers and provides multiple different views to show where an account is being locked out. It also has many more features as well but the account lockout is one of them.

Make sure that you have your Auditing enabled on your default domain controllers policy.

Will.
0
 

Author Comment

by:Oscar Reyes
ID: 40603494
Geisrud- Tried your suggestions. Still getting lockouts.

Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

Any other suggestions are welcome.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40603527
Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

This will provide everything you need to track down where the account is locking out, why the account is locking out (bad password/account disbaled/etc) and also tell you the machine name and IP.

As long as you have your Auditing enabled on the Default Domain Controllers Policy it will collect/gather all of the logs and present them in a web based fashion.

Will.
0
 

Author Comment

by:Oscar Reyes
ID: 40603757
I installed the software ADAudit Plus. I have the audit policies already in place. I go to Reports| Log On Failures based on users

Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

I requested a support call from ADAudit Plus. If this works they have a new Pro Edition customer.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40603781
Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

AD Accounts (when the policy is enabled) only locks out after consecutive number of attempts. However, if you have auditing enabled (as you stated you have) the logs have probably got overwritten, which is why you are not seeing the data in AD Audit Plus. If the entry is no longer in the logs then it will not be presented on AD Audit Plus.

Another thing I would suggest is making sure that ALL of your domain controllers are added to AD Audit. I say this because a user could authenticate to multiple DC's depending on how your Sites and Services are configured. Adding all of them is recommended to get all of the info.

Will.
0
 

Author Comment

by:Oscar Reyes
ID: 40604376
I used the software today. Found a task that was set and deleted it and thought that was my issue but it was not. The user got locked out again so i went to ADAudit pulled the reports but the lockout was not listed.

I called AdPlus they reviewed the the eventlogs manually and still the new lock out was not listed in the eventlogs! ADPlus reviewed the audit policies and confirmed they were correct.

Why would that lock out not log or the 15 failed attempts? Another interesting fact the bad password count goes up on 2 DC at the same time (same site) and never on my remote site DC even if he is in the remote site.

Any other suggestion out there?

Thank you,
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40604390
Have you increased the log file size on the domain controller? Also what is your polling interval for AD Audit to Poll the DC's logs? Have you added all the DC's in the polling section of the Web Interface?

I have mine set to query the DC's every 5 minutes.

Will.
0
 

Author Comment

by:Oscar Reyes
ID: 40604405
The log size is set at 131MB. We are small environment 55 users. AD+ is set to 'Real Time' and all three of my DC are listed in AD+
0
 

Author Comment

by:Oscar Reyes
ID: 40618563
The lockouts continue and are not logged on the DC? Is it time to bite the bullet and call Microsoft?
0
 

Accepted Solution

by:
Oscar Reyes earned 0 total points
ID: 40776200
I recreated the profile  on the PC and that solved the issue. Never figured out what was trying to login.
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 40859168
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This Micro Tutorial will show you how to maximize your wireless card to its maximum capability. This will be demonstrated using Intel(R) Centrino(R) Wireless-N 2230 wireless card on Windows 8 operating system.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question