The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.
Users getting locked out did a trace not sure what all this means
We've been having lockout issues on a number of users recently.
I have netlogon debug on my DC and my Cas server.
DC is 2008 R2, CAS is 2010 on 2008 R2
debug log on the DC I see this
after a few more of these I get this
From my cas debug log
So based on the debug logs, and If i understand it correctly, it looks like the user tried to check email (via outlook/mobile device) but password was incorrect/wrong and after multiple tries the account got locked.
I checked the account and the computer password was not changed recently. His password did not expire. His phone password was not changed. He was signed in & working on his computer when his account got locked. What he did say was that outlook was open and then suddenly it prompted him to enter a username + password. he ignored it and then his account got locked.
Map drives do not require a password to be entered. IT dept mapped his drive for the user in question.
I have netlogon debug on my DC and my Cas server.
DC is 2008 R2, CAS is 2010 on 2008 R2
debug log on the DC I see this
03/03 16:04:57 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC000006A
03/03 16:04:58 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
[LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC000006A
after a few more of these I get this
03/03 16:05:01 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
[LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC0000234
03/03 16:05:02 [LOGON] 92NDSTY: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
03/03 16:05:02 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC0000234
From my cas debug log
03/03 16:04:54 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Entered
03/03 16:04:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
03/03 16:04:54 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC000006A
03/03 16:04:55 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Entered
03/03 16:04:55 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
03/03 16:04:55 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC000006A
03/03 16:05:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
03/03 16:05:01 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC0000234
So based on the debug logs, and If i understand it correctly, it looks like the user tried to check email (via outlook/mobile device) but password was incorrect/wrong and after multiple tries the account got locked.
I checked the account and the computer password was not changed recently. His password did not expire. His phone password was not changed. He was signed in & working on his computer when his account got locked. What he did say was that outlook was open and then suddenly it prompted him to enter a username + password. he ignored it and then his account got locked.
Map drives do not require a password to be entered. IT dept mapped his drive for the user in question.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
The software requires a extra SQL server which i do not available at this time. Based on the logs it looks like it's coming from our Cas server
will the software be able to tell if it's coming from a mobile device or outlook from the desktop? The netlogon logs don't say anything
Yes, this software will tell you what device, ip address, users account etc. It also does a lot more in regards to auditing Active Directory but this is one of the basic things it does very well.
Will.
Will.
I have it installed, Connected to AD, Audit is on, logs set to 1 Gig but so far I get nothing in the reports
You have to have an account that is setup that has access to the security logs on the domain controllers.
Will.
Will.
Have you setup your domain controllers in the web gui to grab the logs from your DC's? If you have done all of this you need to ensure that you have auditing enabled as well. This might be why you are not getting any data.
Will.
Will.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trialIt's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Excel 2007 Inter… 218 lessons
-
Microsoft ApplicationsCertification: MOS Microsoft Office Specialist - Access 2007 Int… 207 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
- Ensure that Auditing is enabled on the Default Domain Controllers Policy
- Increase the Security Log on all of the domain controllers to 1GB size
- download and install Lepide Audit for Active Directory
http://www.lepide.com/lepideauditor/active-directory.html
Make sure that you install this software on a member server or workstation and not the domain controller itself.
Once you have this installed you will find exactly where the account is being locked out on. Machine/IP/User etc.
That would be the quickest way to accomplish this.
Will.