Solved

Account Lockout  - How to Find Application or Service Causing Lockout

Posted on 2015-02-10
18
256 Views
Last Modified: 2016-11-23
Hello Experts,

I am having an issue with one user that is continuously locked out several times a day. I have used LockOutStatus to determine the DC that is locking the user and found the Event Log that confirmed that it is getting locked from his laptop. The user has the right credentials but something on his PC is using stale credentials. How do i determine what it is?

In researching I cam across ALockout.dll but that does not work with Windows 7/8. How do i figure this out?

Environment:
2008R2 Domain and functional level.
Three DC . Only two get bad password counts even when the user is at the other site (tells me that it may be something that authenticates over the internet to our main-site)
User is on windows 8.1 dell laptop
0
Comment
Question by:evengeekier
  • 8
  • 5
  • 2
  • +2
18 Comments
 
LVL 21

Expert Comment

by:RK
ID: 40600704
Hi,

I would suggest to use this MS tool to find out the problematic user and fix the issue http://www.microsoft.com/en-in/download/details.aspx?id=18465
0
 

Author Comment

by:evengeekier
ID: 40600716
Hello Radhakrishnan Rajayyan,

I know who the user is and that the lockout is originating from his laptop. What i cant figure out is what application or service is causing the lockout. I have cleared the Credential Manager redid his outlook profile etc. finding the specific app/service is what i am trying to trace. I have used the tools you linked to but as far as i see none find the offending app/service that was what aLockout.dll used to do.
0
 
LVL 14

Expert Comment

by:Geisrud
ID: 40600803
I used the below linked article to resolve my own issue very recently.

https://social.technet.microsoft.com/Forums/windows/en-US/e1ef04fa-6aea-47fe-9392-45929239bd68/securitykerberos-event-id-14-credential-manager-causes-system-to-login-to-network-with-invalid?forum=w7itprosecurity

In my case, there was a cached credential (that didn't show up in cached credential manager) that was locking my account.  Since you already know where the problem is originating, check the system logs for clues as to the source.  Filter for event id #14 to start.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 21

Expert Comment

by:RK
ID: 40600833
Hi,

Is there any mapped drive on that laptop? if so, disconnect that and see it still lockout? Also, temporarily disable the anti virus software and monitor the situation.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40600936
Typical lockouts happen in the following areas
- service account cached passwords
- Outlook Cached Password
- ActiveSync on smart phones
- scheduled tasks running with cached password
- network drives

I personally would download and install AD Audit Plus from ManageEngine. You can use a fully featured trial for 30 days. It will pick up exactly where the account is locked out. Probably getting locked out from another source if the above have been confirmed.

http://www.manageengine.com/products/active-directory-audit/download.html

Will.
0
 

Author Comment

by:evengeekier
ID: 40600983
Geisrud- Trying your suggestion, just waiting on the user to access laptop. Will report back.

Will Szymkowski - I checked all those minus the service accounts. Where is AD Audit installed on the DC or the offending computer?

Thank you.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40601028
You install AD Audit on a memeber server (not a DC) or even on a Windows 7 machine. This is a web interface GUI which grabs the logs from all of the domain controllers and provides multiple different views to show where an account is being locked out. It also has many more features as well but the account lockout is one of them.

Make sure that you have your Auditing enabled on your default domain controllers policy.

Will.
0
 

Author Comment

by:evengeekier
ID: 40603494
Geisrud- Tried your suggestions. Still getting lockouts.

Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

Any other suggestions are welcome.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40603527
Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

This will provide everything you need to track down where the account is locking out, why the account is locking out (bad password/account disbaled/etc) and also tell you the machine name and IP.

As long as you have your Auditing enabled on the Default Domain Controllers Policy it will collect/gather all of the logs and present them in a web based fashion.

Will.
0
 

Author Comment

by:evengeekier
ID: 40603757
I installed the software ADAudit Plus. I have the audit policies already in place. I go to Reports| Log On Failures based on users

Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

I requested a support call from ADAudit Plus. If this works they have a new Pro Edition customer.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40603781
Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

AD Accounts (when the policy is enabled) only locks out after consecutive number of attempts. However, if you have auditing enabled (as you stated you have) the logs have probably got overwritten, which is why you are not seeing the data in AD Audit Plus. If the entry is no longer in the logs then it will not be presented on AD Audit Plus.

Another thing I would suggest is making sure that ALL of your domain controllers are added to AD Audit. I say this because a user could authenticate to multiple DC's depending on how your Sites and Services are configured. Adding all of them is recommended to get all of the info.

Will.
0
 

Author Comment

by:evengeekier
ID: 40604376
I used the software today. Found a task that was set and deleted it and thought that was my issue but it was not. The user got locked out again so i went to ADAudit pulled the reports but the lockout was not listed.

I called AdPlus they reviewed the the eventlogs manually and still the new lock out was not listed in the eventlogs! ADPlus reviewed the audit policies and confirmed they were correct.

Why would that lock out not log or the 15 failed attempts? Another interesting fact the bad password count goes up on 2 DC at the same time (same site) and never on my remote site DC even if he is in the remote site.

Any other suggestion out there?

Thank you,
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40604390
Have you increased the log file size on the domain controller? Also what is your polling interval for AD Audit to Poll the DC's logs? Have you added all the DC's in the polling section of the Web Interface?

I have mine set to query the DC's every 5 minutes.

Will.
0
 

Author Comment

by:evengeekier
ID: 40604405
The log size is set at 131MB. We are small environment 55 users. AD+ is set to 'Real Time' and all three of my DC are listed in AD+
0
 

Author Comment

by:evengeekier
ID: 40618563
The lockouts continue and are not logged on the DC? Is it time to bite the bullet and call Microsoft?
0
 

Accepted Solution

by:
evengeekier earned 0 total points
ID: 40776200
I recreated the profile  on the PC and that solved the issue. Never figured out what was trying to login.
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40859168
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
The goal of this Micro Tutorial is to help navigate beginning users with the app store on Windows 8. It will explain exciting features how to maximize your PC through these apps. This will be demonstrated using Windows 8 operating system.

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question