Solved

AD account keep locking account

Posted on 2016-10-10
15
49 Views
Last Modified: 2016-11-01
AD account keep locking account
0
Comment
Question by:abcd ab01
  • 7
  • 4
  • 2
  • +2
15 Comments
 
LVL 2

Expert Comment

by:Etienne Lau
Comment Utility
Download and run this utility on any of your Domain Controller. https://www.microsoft.com/en-us/download/details.aspx?id=15201

This will tell you when it is getting locked and which domain controller is triggering the lockout. And then enable "Debug" for netlogon on that particular DC to find out the IP address that is trigger the lockout.

How to Enable Debug for Netlogon:
https://support.microsoft.com/en-us/kb/109626
0
 
LVL 6

Assisted Solution

by:Ganesamoorthy S
Ganesamoorthy S earned 200 total points (awarded by participants)
Comment Utility
Check the user meta for last lockout data/time and Domain Controller details and check the event viewer   for lockout event to know the source of lockout

http://www.windowstricks.in/2009/07/account-lockout.html
0
 

Author Comment

by:abcd ab01
Comment Utility
if I find the server and if follow the instruction to enable and disable the netlogon, will this impact on the server's current status?
0
 

Author Comment

by:abcd ab01
Comment Utility
still not best solution. Please give me easy and best solution, don't share the links please. not helping
0
 

Author Comment

by:abcd ab01
Comment Utility
Kerberos Authentication Service, I found the event in event viewer and its 4771. error- Kerberos Authentication Service
0
 
LVL 2

Expert Comment

by:Etienne Lau
Comment Utility
Enabling Debug for NETLOGON will not have a severe impact on your server. You will need to bounce the NETLOGON service after you enable/disable DEBUG. Enabling DEBUG will then allow you to look at the NETLOGON.LOG files to see what IP address the lockout is coming from.
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 300 total points (awarded by participants)
Comment Utility
I assuming "AD account keep locking account" means that there is an AD account that keeps getting locked out, and that this is an undesirable situation.  This normally occurs because authentication fails due to a bad password more times within a relatively brief period of time than is configured for your domain.

Lockout policies are implemented to prevent 'the bad guy' from brute forcing passwords by repeatedly guessing possible passwords.  In recent years, as more software and devices with passwords saved locally authenticate against Active Directory, it's more common that users'w own devices lock them out of their accounts when they change their passwords.

There are a couple possible paths to a solution:
1.It is possible to turn off the lockout policy.  The software or device (or a hypothetical bad guy guessing passwords) will continue to fail to authenticate, but it won't lock the account.  The setting will be in the Group Policy - Default Domain Policy.
2.If you wish to keep the lockout policy, you'll want to track down the software, device, or bad guy.  Looking at the 4771 events in the domain controller Security Event Log is a good start -- but I'd be tempted to focus on the events 4740 - 'cause they'll often tell you exactly which device is causing the lockout.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:abcd ab01
Comment Utility
4740- thanks for helping me. I ran filter for this event and found the caller computer name. What would be the next step?
0
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Track down that computer.  If it's a user's computer, it's likely it is a cached or stored password.  If it's a web server, it could be a stored password in a user's browser... (Still a stored password, but back to a user's computer... might need to go thru web logs to find the source of the password.)  If it's a RADIUS server, it could be a stored/cached password for something authenticating against it... (wireless, etc).

If it's completely alien... it could actually be a bad guy attempting a brute force attack.
0
 

Author Comment

by:abcd ab01
Comment Utility
how to check web logs?
0
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
If logging is turned on the web server, in IIS, by default they would be under the Inetpub/logs/logfiles/W3SVC#, where # is the site number... and they can be configured to be nearly anywhere.  Depending on the way the site which is doing the authentication is configured, the you can either track my time/date to find the connecting computer's IP address... or just perform a search for the userid to find the line... which will still tell you the connecting computer's IP address.
If the web server is something other than IIS (apache, for example), you'll probably want to open a separate ticket to get assistance from an apache expert.
0
 

Author Comment

by:abcd ab01
Comment Utility
Thanks!
0
 
LVL 8

Expert Comment

by:Kevin k
Comment Utility
Do these users have email on their phones? If the phone has the wrong password it will try over and over again until it locks the AD account.

Also make sure there is no old stored passwords in credential manager; this could also cause the lockouts

Few more reasons:

A user has scheduled tasks on their PC, but have recently changed their password and failed to update the credentials associated with their scheduled tasks.

User receives Exchange emails on their phone, recently changed their PW, failed to update their phone.

User has logged in at a different PC, forgotten to log off, and has changed their PW since then.

A service running as a user on a PC or server, service user's PW was changed but never updated on the service.

Also get help from this earlier thread: http://slickdeals.net/f/1181735-solved-user-s-ad-account-keeps-locking-out-no-bad-passwords-or-lockouts-registering-in-netlogon

Have a look at this How-To article published by another community member detailing some common downloads and troubleshooting steps when dealing with issues like these:

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

Hope this helps!
0
 

Author Comment

by:abcd ab01
Comment Utility
Thanks everyone, and was able to resolve the issue after - running 4740 - 'cause they'll often tell you exactly which device is causing the lockout!
0
 
LVL 29

Expert Comment

by:Rich Weissler
Comment Utility
Going with the solution the requester indicated helped -- Ganesamoorthy had also indicated looking at the event logs, and the final answer used built on that idea.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now