Avatar of yo_bee
yo_bee
Flag for United States of America asked on

Password Lockout of a user

I have a user that keeps on locking out. I used the Account Lockout Tool to find the time period. Located the event log of the lockout.
Review the event log and it showing that it is generating the lockout is one of my DC's.

I do not see any replication issues in the event log.

Not sure what could be causing this lockout.  Second off the user is not even in the office today.
Windows OSActive DirectorySecurity

Avatar of undefined
Last Comment
zalazar

8/22/2022 - Mon
Will Szymkowski

I would highly recommend using Active Directory Audit by Lepide software. This software will tell you exactly what name and IP your account is being locked out on.

http://www.lepide.com/lepideauditor/active-directory.html

Will.
McKnife

The eventlog on the DC already tells you where the lockout happened.
Visit that computer, see who was logged on while it happened. Now look for these 4:
scheduled tasks using that locked account
services using that account
scripts using that account
saved credentials using that account
You'll find it.
zalazar

At the bottom of Event ID 4740 where the user account locked out is reported, the "Caller Computer Name" field is there.
The value contains the name of the computer from where the lockout is generated.
Do you mean that this computer is the DC ?
If you follow the instructions from McKnife then you should be able to find out why this happened.

@Will, the question states that the Account Lockout Tool was used.
I don't know exactly which tool was used and maybe you already know but Microsoft provide some free tools for this.
https://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
https://www.microsoft.com/en-us/download/details.aspx?id=15201
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
yo_bee

ASKER
The IP recorded in the event log is the IP of one of my DC's.

I will examine the logs tomorrow.

Thanks
McKnife

It is locked out at some DC, always,  because it is a domain account. But the event log also tells you, where that bad password was being used.

To understand and find that: Stage a lockout with a test account and have it lockout on your own workstation. Then look into the logs at the DCs searching for your own IP.
zalazar

Thanks for your response. The important field is not the IP-address but the name of the computer which is mentioned in the "Caller Computer Name". If you follow McKnife's instructions then you will be able to compare.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
yo_bee

ASKER
Here is the error
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> 
  <EventID>4771</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>14339</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8010000000000000</Keywords> 
  <TimeCreated SystemTime="2015-06-30T13:36:43.873284800Z" /> 
  <EventRecordID>866403047</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="508" ThreadID="2240" /> 
  <Channel>Security</Channel> 
  <Computer>xxxDC01.xxxlaw.local</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="TargetUserName">ahmeda</Data> 
  <Data Name="TargetSid">S-1-5-21-663965598-47014434-1039276024-1338</Data> 
  <Data Name="ServiceName">krbtgt/xxxLAW.LOCAL</Data> 
  <Data Name="TicketOptions">0x40810010</Data> 
  <Data Name="Status">0x18</Data> 
  <Data Name="PreAuthType">2</Data> 
  <Data Name="IpAddress">::ffff:192.168.94.207</Data> 
  <Data Name="IpPort">55633</Data> 
  <Data Name="CertIssuerName" /> 
  <Data Name="CertSerialNumber" /> 
  <Data Name="CertThumbprint" /> 
  </EventData>
  </Event>

Open in new window

ASKER CERTIFIED SOLUTION
zalazar

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
yo_bee

ASKER
Thank you for pointing that event id out.  
I saw in the initial call by the user that the computer in question was the possible root of the issue and I asked him to logoff or reboot the machine. He said he did, but he never did.
I then rebooted the machine and all was good after that.

Thanks for you help all.
zalazar

Thanks for the information and very good to hear that it's solved.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck