Solved

Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

Posted on 2015-02-19
13
267 Views
Last Modified: 2015-03-03
Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

I have to unlock the account like 3 times per day...
0
Comment
Question by:Harper McDonald
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619761
I would recommend using a product like Lepide Auditor for Active Directory.
http://www.lepide.com/lepideauditor/active-directory.html

You need to make sure that you have you logging enabled.

Free download trial available.


Will.
0
 
LVL 17

Expert Comment

by:pjam
ID: 40619762
Check their keyboard for starters.
Is this a shared computer where someone may be trying to login to their username?
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619771
They are using different keyboards - I am downloading that software, I guess I need to use the 'set' command to see what DC it's hitting for authentication and run the app on that DC...?
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619772
Harper,
You need to look at your DC logs. Something is clearly trying to access the logs and is using the wrong password.

1st. If you have not changed this password recently, you need to get on this in the event something or someone is trying to brute force the account.

2nd. If you have changed the account pass recently, your threat is probably minimal and you just need to find the offending device that is attempting to login with the wrong data. Your logs should show this.

Worst case scenario, someone modified the audit policies for the DC's and they are not set right, then you will need to configure your auditing policy's. There is a ton of best practice info out there for the Domain Controller audit policy's. Regardless what recommendation google gives you, you want success failure on account login events, account management, and logon events at minimum. I audit much more than that in my production environment, and dump it to an external repository, but you need to set the settings that meet your organizations needs.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40619773
All of the logs are in the Security Event Logon the domain controllers. This is why it gets tricky to figure out where it is locking out. Typical lock outs happen because of the following..
- services assigned to a service account with a bad password
- scheduled tasks with bad password
- mapped network drives
- Outlook Anywhere cached creds
- Local cached creds
- Mibile phones
etc

This account could be locking out on multiple different domain controllers which is why a third party software is key for collecting logs and presenting them in a gui fashion.

Will.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619778
Why would mapped drives be causing this issue?
0
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619800
I do agree that if you have quite a few DC's, you are going to want something to correlate.

I am attaching a reference for eventCombMt utility.
It directly correlates to your problem.

Not the prettiest product, but its free from MS, so you cant beat the price.
It works. and it certainly gives you a place to start!
Microsoft-reference-for-account-lockout-
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619816
Awesome - i'll check it out
0
 
LVL 4

Accepted Solution

by:
Harper McDonald earned 0 total points
ID: 40621119
Wrote a logon script  (net use z:.....etc) instead of mapped drives and used gpedit.msc to make a logon script at startup for all users.  Works like a charm, account doesn't get logged out.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40621156
I've requested that this question be closed as follows:

Accepted answer: 0 points for Harper McDonald's comment #a40621119

for the following reason:

Use gpedit.msc to provide local logon scipts and not use GPO's
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621157
That is great that you found a work-a-round to the issue you had. However, I did mention to check the mapped network drives for places where service accounts can get locked out. Ultimately it was not what you did but helped you to your own solution. Points should be awarded accordingly.

Reference ID: 40619773

Will.
0
 
LVL 4

Author Closing Comment

by:Harper McDonald
ID: 40641447
Will had mentioned mapped drives as a cause for locked out accounts with was an issue for a few accounts so I had to use a local logon script in gpedit for all users local to that VM.

Thank you Will for your comment.

-Harper
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Installing 3rd Party SSL for enabling LDAP over SSL 13 34
Open Encryption Software Advice needed 4 53
How do You Stop a DDoS Attack 7 28
sql server service accounts 4 26
On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question