Solved

Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

Posted on 2015-02-19
13
260 Views
Last Modified: 2015-03-03
Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

I have to unlock the account like 3 times per day...
0
Comment
Question by:Harper McDonald
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619761
I would recommend using a product like Lepide Auditor for Active Directory.
http://www.lepide.com/lepideauditor/active-directory.html

You need to make sure that you have you logging enabled.

Free download trial available.


Will.
0
 
LVL 17

Expert Comment

by:pjam
ID: 40619762
Check their keyboard for starters.
Is this a shared computer where someone may be trying to login to their username?
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619771
They are using different keyboards - I am downloading that software, I guess I need to use the 'set' command to see what DC it's hitting for authentication and run the app on that DC...?
0
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619772
Harper,
You need to look at your DC logs. Something is clearly trying to access the logs and is using the wrong password.

1st. If you have not changed this password recently, you need to get on this in the event something or someone is trying to brute force the account.

2nd. If you have changed the account pass recently, your threat is probably minimal and you just need to find the offending device that is attempting to login with the wrong data. Your logs should show this.

Worst case scenario, someone modified the audit policies for the DC's and they are not set right, then you will need to configure your auditing policy's. There is a ton of best practice info out there for the Domain Controller audit policy's. Regardless what recommendation google gives you, you want success failure on account login events, account management, and logon events at minimum. I audit much more than that in my production environment, and dump it to an external repository, but you need to set the settings that meet your organizations needs.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40619773
All of the logs are in the Security Event Logon the domain controllers. This is why it gets tricky to figure out where it is locking out. Typical lock outs happen because of the following..
- services assigned to a service account with a bad password
- scheduled tasks with bad password
- mapped network drives
- Outlook Anywhere cached creds
- Local cached creds
- Mibile phones
etc

This account could be locking out on multiple different domain controllers which is why a third party software is key for collecting logs and presenting them in a gui fashion.

Will.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619778
Why would mapped drives be causing this issue?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619800
I do agree that if you have quite a few DC's, you are going to want something to correlate.

I am attaching a reference for eventCombMt utility.
It directly correlates to your problem.

Not the prettiest product, but its free from MS, so you cant beat the price.
It works. and it certainly gives you a place to start!
Microsoft-reference-for-account-lockout-
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619816
Awesome - i'll check it out
0
 
LVL 4

Accepted Solution

by:
Harper McDonald earned 0 total points
ID: 40621119
Wrote a logon script  (net use z:.....etc) instead of mapped drives and used gpedit.msc to make a logon script at startup for all users.  Works like a charm, account doesn't get logged out.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40621156
I've requested that this question be closed as follows:

Accepted answer: 0 points for Harper McDonald's comment #a40621119

for the following reason:

Use gpedit.msc to provide local logon scipts and not use GPO's
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621157
That is great that you found a work-a-round to the issue you had. However, I did mention to check the mapped network drives for places where service accounts can get locked out. Ultimately it was not what you did but helped you to your own solution. Points should be awarded accordingly.

Reference ID: 40619773

Will.
0
 
LVL 4

Author Closing Comment

by:Harper McDonald
ID: 40641447
Will had mentioned mapped drives as a cause for locked out accounts with was an issue for a few accounts so I had to use a local logon script in gpedit for all users local to that VM.

Thank you Will for your comment.

-Harper
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Resolve DNS query failed errors for Exchange
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now