Avatar of iamuser
iamuser
 asked on

Users getting locked out did a trace not sure what all this means

We've been having lockout issues on a number of users recently.

I have netlogon debug on my DC and my Cas server.

DC is 2008 R2, CAS is 2010 on 2008 R2

debug log on the DC I see this

03/03 16:04:57 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC000006A
03/03 16:04:58 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
[LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC000006A

after a few more of these I get this

03/03 16:05:01 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
[LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC)  Returns 0xC0000234
03/03 16:05:02 [LOGON] 92NDSTY: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
03/03 16:05:02 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC0000234

From my cas debug log

03/03 16:04:54 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Entered
03/03 16:04:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
03/03 16:04:54 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC000006A
03/03 16:04:55 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Entered
03/03 16:04:55 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
03/03 16:04:55 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC000006A
03/03 16:05:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
03/03 16:05:01 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC0000234

So based on the debug logs, and If i understand it correctly, it looks like the user tried to check email (via outlook/mobile device) but password was incorrect/wrong and after multiple tries the account got locked.

I checked the account and the computer password was not changed recently. His password did not expire. His phone password was not changed. He was signed in & working on his computer when his account got locked. What he did say was that outlook was open and then suddenly it prompted him to enter a username + password. he ignored it and then his account got locked.

Map drives do not require a password to be entered. IT dept mapped his drive for the user in question.
Active DirectoryExchangeWindows Server 2008

Avatar of undefined
Last Comment
Will Szymkowski

8/22/2022 - Mon
Will Szymkowski

For locked out accounts your best bet to find exactly where it is being locked out on is doing the following..
- Ensure that Auditing is enabled on the Default Domain Controllers Policy
- Increase the Security Log on all of the domain controllers to 1GB size
- download and install Lepide Audit for Active Directory
http://www.lepide.com/lepideauditor/active-directory.html

Make sure that you install this software on a member server or workstation and not the domain controller itself.

Once you have this installed you will find exactly where the account is being locked out on. Machine/IP/User etc.

That would be the quickest way to accomplish this.

Will.
iamuser

ASKER
The software requires a extra SQL server which i do not available at this time. Based on the logs it looks like it's coming from our Cas server
Will Szymkowski

You can use SQL Express with this software you do not have to have a Full blown SQL install.

Will.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
iamuser

ASKER
will the software be able to tell if it's coming from a mobile device or outlook from the desktop? The netlogon logs don't say anything
Will Szymkowski

Yes, this software will tell you what device, ip address, users account etc. It also does a lot more in regards to auditing Active Directory but this is one of the basic things it does very well.

Will.
iamuser

ASKER
I have it installed, Connected to AD, Audit is on, logs set to 1 Gig but so far I get nothing in the reports
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Will Szymkowski

You have to have an account that is setup that has access to the security logs on the domain controllers.

Will.
iamuser

ASKER
i used my own account. It's a domain admin account
ASKER CERTIFIED SOLUTION
Will Szymkowski

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.