• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 89
  • Last Modified:

AD account keep locking account

AD account keep locking account
0
abcd ab01
Asked:
abcd ab01
  • 7
  • 4
  • 2
  • +2
2 Solutions
 
Etienne LauSystems AdministratorCommented:
Download and run this utility on any of your Domain Controller. https://www.microsoft.com/en-us/download/details.aspx?id=15201

This will tell you when it is getting locked and which domain controller is triggering the lockout. And then enable "Debug" for netlogon on that particular DC to find out the IP address that is trigger the lockout.

How to Enable Debug for Netlogon:
https://support.microsoft.com/en-us/kb/109626
0
 
Ganesamoorthy STech LeadCommented:
Check the user meta for last lockout data/time and Domain Controller details and check the event viewer   for lockout event to know the source of lockout

http://www.windowstricks.in/2009/07/account-lockout.html
0
 
abcd ab01Author Commented:
if I find the server and if follow the instruction to enable and disable the netlogon, will this impact on the server's current status?
0
Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

 
abcd ab01Author Commented:
still not best solution. Please give me easy and best solution, don't share the links please. not helping
0
 
abcd ab01Author Commented:
Kerberos Authentication Service, I found the event in event viewer and its 4771. error- Kerberos Authentication Service
0
 
Etienne LauSystems AdministratorCommented:
Enabling Debug for NETLOGON will not have a severe impact on your server. You will need to bounce the NETLOGON service after you enable/disable DEBUG. Enabling DEBUG will then allow you to look at the NETLOGON.LOG files to see what IP address the lockout is coming from.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
I assuming "AD account keep locking account" means that there is an AD account that keeps getting locked out, and that this is an undesirable situation.  This normally occurs because authentication fails due to a bad password more times within a relatively brief period of time than is configured for your domain.

Lockout policies are implemented to prevent 'the bad guy' from brute forcing passwords by repeatedly guessing possible passwords.  In recent years, as more software and devices with passwords saved locally authenticate against Active Directory, it's more common that users'w own devices lock them out of their accounts when they change their passwords.

There are a couple possible paths to a solution:
1.It is possible to turn off the lockout policy.  The software or device (or a hypothetical bad guy guessing passwords) will continue to fail to authenticate, but it won't lock the account.  The setting will be in the Group Policy - Default Domain Policy.
2.If you wish to keep the lockout policy, you'll want to track down the software, device, or bad guy.  Looking at the 4771 events in the domain controller Security Event Log is a good start -- but I'd be tempted to focus on the events 4740 - 'cause they'll often tell you exactly which device is causing the lockout.
0
 
abcd ab01Author Commented:
4740- thanks for helping me. I ran filter for this event and found the caller computer name. What would be the next step?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Track down that computer.  If it's a user's computer, it's likely it is a cached or stored password.  If it's a web server, it could be a stored password in a user's browser... (Still a stored password, but back to a user's computer... might need to go thru web logs to find the source of the password.)  If it's a RADIUS server, it could be a stored/cached password for something authenticating against it... (wireless, etc).

If it's completely alien... it could actually be a bad guy attempting a brute force attack.
0
 
abcd ab01Author Commented:
how to check web logs?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If logging is turned on the web server, in IIS, by default they would be under the Inetpub/logs/logfiles/W3SVC#, where # is the site number... and they can be configured to be nearly anywhere.  Depending on the way the site which is doing the authentication is configured, the you can either track my time/date to find the connecting computer's IP address... or just perform a search for the userid to find the line... which will still tell you the connecting computer's IP address.
If the web server is something other than IIS (apache, for example), you'll probably want to open a separate ticket to get assistance from an apache expert.
0
 
abcd ab01Author Commented:
Thanks!
0
 
Ajit SinghCommented:
Do these users have email on their phones? If the phone has the wrong password it will try over and over again until it locks the AD account.

Also make sure there is no old stored passwords in credential manager; this could also cause the lockouts

Few more reasons:

A user has scheduled tasks on their PC, but have recently changed their password and failed to update the credentials associated with their scheduled tasks.

User receives Exchange emails on their phone, recently changed their PW, failed to update their phone.

User has logged in at a different PC, forgotten to log off, and has changed their PW since then.

A service running as a user on a PC or server, service user's PW was changed but never updated on the service.

Also get help from this earlier thread: http://slickdeals.net/f/1181735-solved-user-s-ad-account-keeps-locking-out-no-bad-passwords-or-lockouts-registering-in-netlogon

Have a look at this How-To article published by another community member detailing some common downloads and troubleshooting steps when dealing with issues like these:

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

Hope this helps!
0
 
abcd ab01Author Commented:
Thanks everyone, and was able to resolve the issue after - running 4740 - 'cause they'll often tell you exactly which device is causing the lockout!
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Going with the solution the requester indicated helped -- Ganesamoorthy had also indicated looking at the event logs, and the final answer used built on that idea.
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

  • 7
  • 4
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now