Solved

Why did Active Directory account get disabled?

Posted on 2016-09-06
5
39 Views
Last Modified: 2016-10-25
Hello,

A high-profile user was unable to access network resources this morning.  Sounds like he was already logged on to the network for some time.  But he stopped being able to access network resources.  At this point he rebooted his PC.   After reboot, attempts to logon returned the following message:

The referenced account is currently locked out and may not be logged on to

Issue was quickly addressed by re-enabling this account.  However this is not a user who is likely to mistype his credentials multiple times.  I'm concerned about a potential attempt to login with his account.  Where can I check in Event Viewer or other tool to gather any information that may be of help to gather some detail?

Thanks in advance.

Regards,
Real-Time
0
Comment
Question by:realtimer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 4

Assisted Solution

by:AnthonyHamon
AnthonyHamon earned 166 total points
ID: 41787013
If you do not have any Active Directory auditing software then check the Security logs [in Event Viewer] on all of your domain controllers, filtering for logon failures.  If, however, your auditing policy is set not to record logon failures you will have nothing to go on.
0
 
LVL 8

Accepted Solution

by:
Senior IT System Engineer earned 168 total points
ID: 41787073
Hi realtimer,

You can cehck for the Security event ID 4740 in the domain controllers and also the reason of the failure codes as per my attached .PDF file.

I was into this problem before and it turns out to be the old iPhone or the iTunes software still using the old password.
quickref.pdf
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 166 total points
ID: 41787532
There are a bunch of error codes to look for.

4625: Failed logon.
4740: Lockout event.
4768 (audit failure): Kerberos TGT failure.
4769 (audit failure): Kerberos service ticket failure.
4771: Kerberos Pre-authentication failure.
4776 (audit failure): NTLM failed logon.

Common causes for this can be anything from:

* Old logon sessions.
* Cached credentials (Outlook, Lync).
* Applications which store credentials, developer tools are notorious for this.
* Mobile devices like phones, tablets, etc.
0
 

Author Comment

by:realtimer
ID: 41804993
Hello,

I've gone through some of these steps and am still working on trying to isolate the source of the problem.

In the interim, what can I do to ensure that this one account does not get disabled regardless of the number of failed login attempts?

Thank you.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows theĀ method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happenā€¦
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question