[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1500
  • Last Modified:

Account Lockout - How to Find Application or Service Causing Lockout

Hello Experts,

I am having an issue with one user that is continuously locked out several times a day. I have used LockOutStatus to determine the DC that is locking the user and found the Event Log that confirmed that it is getting locked from his laptop. The user has the right credentials but something on his PC is using stale credentials. How do i determine what it is?

In researching I cam across ALockout.dll but that does not work with Windows 7/8. How do i figure this out?

Environment:
2008R2 Domain and functional level.
Three DC . Only two get bad password counts even when the user is at the other site (tells me that it may be something that authenticates over the internet to our main-site)
User is on windows 8.1 dell laptop
0
Oscar Reyes
Asked:
Oscar Reyes
  • 8
  • 5
  • 2
  • +2
1 Solution
 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

I would suggest to use this MS tool to find out the problematic user and fix the issue http://www.microsoft.com/en-in/download/details.aspx?id=18465
0
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
Hello Radhakrishnan Rajayyan,

I know who the user is and that the lockout is originating from his laptop. What i cant figure out is what application or service is causing the lockout. I have cleared the Credential Manager redid his outlook profile etc. finding the specific app/service is what i am trying to trace. I have used the tools you linked to but as far as i see none find the offending app/service that was what aLockout.dll used to do.
0
 
GeisrudSystems AdministratorCommented:
I used the below linked article to resolve my own issue very recently.

https://social.technet.microsoft.com/Forums/windows/en-US/e1ef04fa-6aea-47fe-9392-45929239bd68/securitykerberos-event-id-14-credential-manager-causes-system-to-login-to-network-with-invalid?forum=w7itprosecurity

In my case, there was a cached credential (that didn't show up in cached credential manager) that was locking my account.  Since you already know where the problem is originating, check the system logs for clues as to the source.  Filter for event id #14 to start.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

Is there any mapped drive on that laptop? if so, disconnect that and see it still lockout? Also, temporarily disable the anti virus software and monitor the situation.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Typical lockouts happen in the following areas
- service account cached passwords
- Outlook Cached Password
- ActiveSync on smart phones
- scheduled tasks running with cached password
- network drives

I personally would download and install AD Audit Plus from ManageEngine. You can use a fully featured trial for 30 days. It will pick up exactly where the account is locked out. Probably getting locked out from another source if the above have been confirmed.

http://www.manageengine.com/products/active-directory-audit/download.html

Will.
1
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
Geisrud- Trying your suggestion, just waiting on the user to access laptop. Will report back.

Will Szymkowski - I checked all those minus the service accounts. Where is AD Audit installed on the DC or the offending computer?

Thank you.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You install AD Audit on a memeber server (not a DC) or even on a Windows 7 machine. This is a web interface GUI which grabs the logs from all of the domain controllers and provides multiple different views to show where an account is being locked out. It also has many more features as well but the account lockout is one of them.

Make sure that you have your Auditing enabled on your default domain controllers policy.

Will.
0
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
Geisrud- Tried your suggestions. Still getting lockouts.

Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

Any other suggestions are welcome.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Will Szymkowski - I will try AD Audit. Can that pinpoint the application or service that is using the bad credentials?

This will provide everything you need to track down where the account is locking out, why the account is locking out (bad password/account disbaled/etc) and also tell you the machine name and IP.

As long as you have your Auditing enabled on the Default Domain Controllers Policy it will collect/gather all of the logs and present them in a web based fashion.

Will.
0
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
I installed the software ADAudit Plus. I have the audit policies already in place. I go to Reports| Log On Failures based on users

Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

I requested a support call from ADAudit Plus. If this works they have a new Pro Edition customer.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Amazingly i do not see the user i am looking for in that list. If i view lockoutstatus i see that 8 bad password attempts have occurred.

AD Accounts (when the policy is enabled) only locks out after consecutive number of attempts. However, if you have auditing enabled (as you stated you have) the logs have probably got overwritten, which is why you are not seeing the data in AD Audit Plus. If the entry is no longer in the logs then it will not be presented on AD Audit Plus.

Another thing I would suggest is making sure that ALL of your domain controllers are added to AD Audit. I say this because a user could authenticate to multiple DC's depending on how your Sites and Services are configured. Adding all of them is recommended to get all of the info.

Will.
0
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
I used the software today. Found a task that was set and deleted it and thought that was my issue but it was not. The user got locked out again so i went to ADAudit pulled the reports but the lockout was not listed.

I called AdPlus they reviewed the the eventlogs manually and still the new lock out was not listed in the eventlogs! ADPlus reviewed the audit policies and confirmed they were correct.

Why would that lock out not log or the 15 failed attempts? Another interesting fact the bad password count goes up on 2 DC at the same time (same site) and never on my remote site DC even if he is in the remote site.

Any other suggestion out there?

Thank you,
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
Have you increased the log file size on the domain controller? Also what is your polling interval for AD Audit to Poll the DC's logs? Have you added all the DC's in the polling section of the Web Interface?

I have mine set to query the DC's every 5 minutes.

Will.
0
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
The log size is set at 131MB. We are small environment 55 users. AD+ is set to 'Real Time' and all three of my DC are listed in AD+
0
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
The lockouts continue and are not logged on the DC? Is it time to bite the bullet and call Microsoft?
0
 
Oscar ReyesSenior Systems AdministratorAuthor Commented:
I recreated the profile  on the PC and that solved the issue. Never figured out what was trying to login.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 8
  • 5
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now