account locked

Hi Experts,

we use Active Sync with our EXCHANGE server 2007.
One account is always locked.
This account is used by several mobile devices.
Do you have a quick solution to find the guilty device ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cshepfamCommented:
Use this:

http://www.netwrix.com/netwrix_account_lockout_examiner.html

Soon as the account is locked out, you'll get an email and it will also tell you from what device/computer it was locked out from.
0
Jeff PerryWindows AdministratorCommented:
I believe you are experiencing something similar to what this article describes.

http://serverfault.com/questions/370651/activesync-devices-causing-accounts-to-lockout

Here is another article on troubleshooting AD account lockouts.

http://realit1.blogspot.in/2012/04/troubleshooting-active-directory.html
0
Will SzymkowskiSenior Solution ArchitectCommented:
In order to see where this account is getting locked out on your need to configure Active Directory Auditing. From there you would then need to check the security logs on the domain controllers. If you have several domain controllers you will need to check the security logs on all of them. This is because the user can authenticate to any one your DC's. Personally i would recommend using something like Active Directory Auditor by Ledpie Software.

Great product and it can also provide several other reporting tasks within your domain.
http://www.lepide.com/lepideauditor/active-directory.html

Will.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

AmitIT ArchitectCommented:
Just use Microsoft AD lock tool. It is free.
http://www.microsoft.com/en-in/download/details.aspx?id=18465

Step1 you need to find from which DC it is getting locked out. Then on that DC you run eventcom exe and select security logs, put the user name and search it, it will create one log file, open and search that username, you will find from which device or machine it is getting locked out. Next you need to ask user to remove ID from the device or machine or update the correct password.

If user is unable to fix it. Then last option is to rename the account. Goto account tab and append digit or alphabet. That will stop account lock out.

Remember, if your DC logs are overwritten then you cannot find the data, you need to wait for lockout again.
0
Eprs_AdminSystem ArchitectAuthor Commented:
Hi Experts,

I have this security log for you.

Fehler bei der Kerberos-Vorauthentifizierung.

Kontoinformationen:
	Sicherheits-ID:			HBGNB\notdienststo11
	Kontoname:				notdienststo11

Dienstinformationen:
	Dienstname:				krbtgt/hbgnb

Netzwerkinformationen:
	Clientadresse:				::ffff:10.2.1.2
	Clientport:				12335

Weitere Informationen:
	Ticketoptionen:			0x40810010
	Fehlercode:				0x18
	Typ vor der Authentifizierung:	2

Zertifikatsinformationen:
	Zertifikatausstellername:		
	Seriennummer des Zertifikats: 	
	Zertifikatfingerabdruck:		

Zertifikatinformationen werden nur bereitgestellt, wenn ein Zertifikat zur Vorauthentifizierung verwendet wurde.

Vorauthentifizierungtypen, Ticketoptionen und Fehlercodes sind in RFC 4120 definiert.

Wenn das Ticket eine ungültige Form hat oder beim Transport beschädigt wurde und nicht entschlüsselt werden kann, sind viele Fehler dieses Ereignisses möglicherweise nicht vorhanden.

Open in new window

0
Eprs_AdminSystem ArchitectAuthor Commented:
The IP is my second DC, that I don´t understand.
0
Eprs_AdminSystem ArchitectAuthor Commented:
My account is locked out in nearly 20 Seconds.

But why my 2nd DC is listed ?
0
Jeff PerryWindows AdministratorCommented:
I am having trouble with the translation but I think the general error is that the account is trying to authenticate against your 2nd dc but the Kerberos stored credentials don't match.

This can be caused by a number of issues. I have found this forum post that may help you.

http://stackoverflow.com/questions/4468677/domain-account-keeping-locking-out-with-correct-password-every-few-minutes
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eprs_AdminSystem ArchitectAuthor Commented:
Now we solved it with a new account name but same email address.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.