?
Solved

Why did Active Directory account get disabled?

Posted on 2016-09-06
5
Medium Priority
?
52 Views
Last Modified: 2016-10-25
Hello,

A high-profile user was unable to access network resources this morning.  Sounds like he was already logged on to the network for some time.  But he stopped being able to access network resources.  At this point he rebooted his PC.   After reboot, attempts to logon returned the following message:

The referenced account is currently locked out and may not be logged on to

Issue was quickly addressed by re-enabling this account.  However this is not a user who is likely to mistype his credentials multiple times.  I'm concerned about a potential attempt to login with his account.  Where can I check in Event Viewer or other tool to gather any information that may be of help to gather some detail?

Thanks in advance.

Regards,
Real-Time
0
Comment
Question by:realtimer
4 Comments
 
LVL 4

Assisted Solution

by:AnthonyHamon
AnthonyHamon earned 664 total points
ID: 41787013
If you do not have any Active Directory auditing software then check the Security logs [in Event Viewer] on all of your domain controllers, filtering for logon failures.  If, however, your auditing policy is set not to record logon failures you will have nothing to go on.
0
 
LVL 8

Accepted Solution

by:
Senior IT System Engineer earned 672 total points
ID: 41787073
Hi realtimer,

You can cehck for the Security event ID 4740 in the domain controllers and also the reason of the failure codes as per my attached .PDF file.

I was into this problem before and it turns out to be the old iPhone or the iTunes software still using the old password.
quickref.pdf
0
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 664 total points
ID: 41787532
There are a bunch of error codes to look for.

4625: Failed logon.
4740: Lockout event.
4768 (audit failure): Kerberos TGT failure.
4769 (audit failure): Kerberos service ticket failure.
4771: Kerberos Pre-authentication failure.
4776 (audit failure): NTLM failed logon.

Common causes for this can be anything from:

* Old logon sessions.
* Cached credentials (Outlook, Lync).
* Applications which store credentials, developer tools are notorious for this.
* Mobile devices like phones, tablets, etc.
0
 

Author Comment

by:realtimer
ID: 41804993
Hello,

I've gone through some of these steps and am still working on trying to isolate the source of the problem.

In the interim, what can I do to ensure that this one account does not get disabled regardless of the number of failed login attempts?

Thank you.
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question