emcphail
asked on
Solitary account constantly locked. No 4740 event IDs to be found.
I'm hitting a wall with this one.
I have a single AD account, who we can refer to as RWATERS. RWATERS is constantly getting locked out on a regular basis. Using the AccountLockoutTool provided my Microsoft, I can see the originator DC for the lockout along with the bad attempts across our 5 DC's. My problem is that when I get the security logs for ANY of the DC's, I only get 4768 and 4769. I've remoted into each one individually and used combeventMT and both yield the same results. Lots of successes, and NO failures.
I've updated our default domain policy and set Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy to log Failure for Audit Account Logon Events and Directory Service Access and then ran a gpupdate /force on all the DC's but the results are the same.
At this point, I'm wondering if I'm experiencing replication issues on my DC's. However, dcdiag /test:replications on all the DC's come back successful. Furthermore, it's not widespread. It's the same account consistently.
I have co-workers suggesting the nuclear options of creating a new AD account or deleting and recreating the existing one but I'm absolutely not a fan of that. I'll open a case with MS if it gets that dire, but you guys are the smartest dudes in the room so I came here first.
Any ideas?
I have a single AD account, who we can refer to as RWATERS. RWATERS is constantly getting locked out on a regular basis. Using the AccountLockoutTool provided my Microsoft, I can see the originator DC for the lockout along with the bad attempts across our 5 DC's. My problem is that when I get the security logs for ANY of the DC's, I only get 4768 and 4769. I've remoted into each one individually and used combeventMT and both yield the same results. Lots of successes, and NO failures.
I've updated our default domain policy and set Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy to log Failure for Audit Account Logon Events and Directory Service Access and then ran a gpupdate /force on all the DC's but the results are the same.
At this point, I'm wondering if I'm experiencing replication issues on my DC's. However, dcdiag /test:replications on all the DC's come back successful. Furthermore, it's not widespread. It's the same account consistently.
I have co-workers suggesting the nuclear options of creating a new AD account or deleting and recreating the existing one but I'm absolutely not a fan of that. I'll open a case with MS if it gets that dire, but you guys are the smartest dudes in the room so I came here first.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check for 4771 events.
I use small PowerShell script to check for 4771 events (Codes x18 and x12). My DC do not have any 4740 events (and I never needed it).
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
I use small PowerShell script to check for 4771 events (Codes x18 and x12). My DC do not have any 4740 events (and I never needed it).
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
ASKER