Administration of Active Directory does not have to be hard. Too often what should be a simple task is made more difficult than it needs to be.The solution? Hyena from SystemTools Software. With ease-of-use as well as powerful importing and bulk updating capabilities.
Password Lockout of a user
I have a user that keeps on locking out. I used the Account Lockout Tool to find the time period. Located the event log of the lockout.
Review the event log and it showing that it is generating the lockout is one of my DC's.
I do not see any replication issues in the event log.
Not sure what could be causing this lockout. Second off the user is not even in the office today.
Review the event log and it showing that it is generating the lockout is one of my DC's.
I do not see any replication issues in the event log.
Not sure what could be causing this lockout. Second off the user is not even in the office today.
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
The eventlog on the DC already tells you where the lockout happened.
Visit that computer, see who was logged on while it happened. Now look for these 4:
scheduled tasks using that locked account
services using that account
scripts using that account
saved credentials using that account
You'll find it.
Visit that computer, see who was logged on while it happened. Now look for these 4:
scheduled tasks using that locked account
services using that account
scripts using that account
saved credentials using that account
You'll find it.
At the bottom of Event ID 4740 where the user account locked out is reported, the "Caller Computer Name" field is there.
The value contains the name of the computer from where the lockout is generated.
Do you mean that this computer is the DC ?
If you follow the instructions from McKnife then you should be able to find out why this happened.
@Will, the question states that the Account Lockout Tool was used.
I don't know exactly which tool was used and maybe you already know but Microsoft provide some free tools for this.
https://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
https://www.microsoft.com/en-us/download/details.aspx?id=15201
The value contains the name of the computer from where the lockout is generated.
Do you mean that this computer is the DC ?
If you follow the instructions from McKnife then you should be able to find out why this happened.
@Will, the question states that the Account Lockout Tool was used.
I don't know exactly which tool was used and maybe you already know but Microsoft provide some free tools for this.
https://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
https://www.microsoft.com/en-us/download/details.aspx?id=15201
The IP recorded in the event log is the IP of one of my DC's.
I will examine the logs tomorrow.
Thanks
I will examine the logs tomorrow.
Thanks
It is locked out at some DC, always, because it is a domain account. But the event log also tells you, where that bad password was being used.
To understand and find that: Stage a lockout with a test account and have it lockout on your own workstation. Then look into the logs at the DCs searching for your own IP.
To understand and find that: Stage a lockout with a test account and have it lockout on your own workstation. Then look into the logs at the DCs searching for your own IP.
Thanks for your response. The important field is not the IP-address but the name of the computer which is mentioned in the "Caller Computer Name". If you follow McKnife's instructions then you will be able to compare.
Here is the error
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-06-30T13:36:43.873284800Z" />
<EventRecordID>866403047</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="2240" />
<Channel>Security</Channel>
<Computer>xxxDC01.xxxlaw.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">ahmeda</Data>
<Data Name="TargetSid">S-1-5-21-663965598-47014434-1039276024-1338</Data>
<Data Name="ServiceName">krbtgt/xxxLAW.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x18</Data>
<Data Name="PreAuthType">2</Data>
<Data Name="IpAddress">::ffff:192.168.94.207</Data>
<Data Name="IpPort">55633</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
Thanks for posting the event.
Can you try to find an Event with ID 4740 in the security eventlog of all domain controllers which contains the Account Name of the user.
This event also contains the "Caller Computer Name".
For these events to log Auditing on (User) Account Management should be enabled (Success).
Can you try to find an Event with ID 4740 in the security eventlog of all domain controllers which contains the Account Name of the user.
This event also contains the "Caller Computer Name".
For these events to log Auditing on (User) Account Management should be enabled (Success).
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
Thank you for pointing that event id out.
I saw in the initial call by the user that the computer in question was the possible root of the issue and I asked him to logoff or reboot the machine. He said he did, but he never did.
I then rebooted the machine and all was good after that.
Thanks for you help all.
I saw in the initial call by the user that the computer in question was the possible root of the issue and I asked him to logoff or reboot the machine. He said he did, but he never did.
I then rebooted the machine and all was good after that.
Thanks for you help all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS
From novice to tech pro — start learning today.
Question has a verified solution.
Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.
Have a better answer? Share it in a comment.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with premium.
Start your 7-day free trial.
http://www.lepide.com/lepideauditor/active-directory.html
Will.