Solved

Why did Active Directory account get disabled?

Posted on 2016-09-06
5
31 Views
Last Modified: 2016-10-25
Hello,

A high-profile user was unable to access network resources this morning.  Sounds like he was already logged on to the network for some time.  But he stopped being able to access network resources.  At this point he rebooted his PC.   After reboot, attempts to logon returned the following message:

The referenced account is currently locked out and may not be logged on to

Issue was quickly addressed by re-enabling this account.  However this is not a user who is likely to mistype his credentials multiple times.  I'm concerned about a potential attempt to login with his account.  Where can I check in Event Viewer or other tool to gather any information that may be of help to gather some detail?

Thanks in advance.

Regards,
Real-Time
0
Comment
Question by:realtimer
5 Comments
 
LVL 4

Assisted Solution

by:AnthonyHamon
AnthonyHamon earned 166 total points
ID: 41787013
If you do not have any Active Directory auditing software then check the Security logs [in Event Viewer] on all of your domain controllers, filtering for logon failures.  If, however, your auditing policy is set not to record logon failures you will have nothing to go on.
0
 
LVL 7

Accepted Solution

by:
Senior IT System Engineer earned 168 total points
ID: 41787073
Hi realtimer,

You can cehck for the Security event ID 4740 in the domain controllers and also the reason of the failure codes as per my attached .PDF file.

I was into this problem before and it turns out to be the old iPhone or the iTunes software still using the old password.
quickref.pdf
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 166 total points
ID: 41787532
There are a bunch of error codes to look for.

4625: Failed logon.
4740: Lockout event.
4768 (audit failure): Kerberos TGT failure.
4769 (audit failure): Kerberos service ticket failure.
4771: Kerberos Pre-authentication failure.
4776 (audit failure): NTLM failed logon.

Common causes for this can be anything from:

* Old logon sessions.
* Cached credentials (Outlook, Lync).
* Applications which store credentials, developer tools are notorious for this.
* Mobile devices like phones, tablets, etc.
0
 

Author Comment

by:realtimer
ID: 41804993
Hello,

I've gone through some of these steps and am still working on trying to isolate the source of the problem.

In the interim, what can I do to ensure that this one account does not get disabled regardless of the number of failed login attempts?

Thank you.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
OfficeMate Freezes on login or does not load after login credentials are input.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now