Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AD account keep locking account

Posted on 2016-10-10
15
Medium Priority
?
70 Views
Last Modified: 2016-11-01
AD account keep locking account
0
Comment
Question by:abcd ab01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
  • +2
15 Comments
 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41837228
Download and run this utility on any of your Domain Controller. https://www.microsoft.com/en-us/download/details.aspx?id=15201

This will tell you when it is getting locked and which domain controller is triggering the lockout. And then enable "Debug" for netlogon on that particular DC to find out the IP address that is trigger the lockout.

How to Enable Debug for Netlogon:
https://support.microsoft.com/en-us/kb/109626
0
 
LVL 6

Assisted Solution

by:Ganesamoorthy S
Ganesamoorthy S earned 800 total points (awarded by participants)
ID: 41837353
Check the user meta for last lockout data/time and Domain Controller details and check the event viewer   for lockout event to know the source of lockout

http://www.windowstricks.in/2009/07/account-lockout.html
0
 

Author Comment

by:abcd ab01
ID: 41837382
if I find the server and if follow the instruction to enable and disable the netlogon, will this impact on the server's current status?
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:abcd ab01
ID: 41837421
still not best solution. Please give me easy and best solution, don't share the links please. not helping
0
 

Author Comment

by:abcd ab01
ID: 41837455
Kerberos Authentication Service, I found the event in event viewer and its 4771. error- Kerberos Authentication Service
0
 
LVL 3

Expert Comment

by:Etienne Lau
ID: 41837474
Enabling Debug for NETLOGON will not have a severe impact on your server. You will need to bounce the NETLOGON service after you enable/disable DEBUG. Enabling DEBUG will then allow you to look at the NETLOGON.LOG files to see what IP address the lockout is coming from.
0
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 1200 total points (awarded by participants)
ID: 41838230
I assuming "AD account keep locking account" means that there is an AD account that keeps getting locked out, and that this is an undesirable situation.  This normally occurs because authentication fails due to a bad password more times within a relatively brief period of time than is configured for your domain.

Lockout policies are implemented to prevent 'the bad guy' from brute forcing passwords by repeatedly guessing possible passwords.  In recent years, as more software and devices with passwords saved locally authenticate against Active Directory, it's more common that users'w own devices lock them out of their accounts when they change their passwords.

There are a couple possible paths to a solution:
1.It is possible to turn off the lockout policy.  The software or device (or a hypothetical bad guy guessing passwords) will continue to fail to authenticate, but it won't lock the account.  The setting will be in the Group Policy - Default Domain Policy.
2.If you wish to keep the lockout policy, you'll want to track down the software, device, or bad guy.  Looking at the 4771 events in the domain controller Security Event Log is a good start -- but I'd be tempted to focus on the events 4740 - 'cause they'll often tell you exactly which device is causing the lockout.
0
 

Author Comment

by:abcd ab01
ID: 41838780
4740- thanks for helping me. I ran filter for this event and found the caller computer name. What would be the next step?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41838809
Track down that computer.  If it's a user's computer, it's likely it is a cached or stored password.  If it's a web server, it could be a stored password in a user's browser... (Still a stored password, but back to a user's computer... might need to go thru web logs to find the source of the password.)  If it's a RADIUS server, it could be a stored/cached password for something authenticating against it... (wireless, etc).

If it's completely alien... it could actually be a bad guy attempting a brute force attack.
0
 

Author Comment

by:abcd ab01
ID: 41838813
how to check web logs?
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41838849
If logging is turned on the web server, in IIS, by default they would be under the Inetpub/logs/logfiles/W3SVC#, where # is the site number... and they can be configured to be nearly anywhere.  Depending on the way the site which is doing the authentication is configured, the you can either track my time/date to find the connecting computer's IP address... or just perform a search for the userid to find the line... which will still tell you the connecting computer's IP address.
If the web server is something other than IIS (apache, for example), you'll probably want to open a separate ticket to get assistance from an apache expert.
0
 

Author Comment

by:abcd ab01
ID: 41838854
Thanks!
0
 
LVL 15

Expert Comment

by:Ajit Singh
ID: 41841876
Do these users have email on their phones? If the phone has the wrong password it will try over and over again until it locks the AD account.

Also make sure there is no old stored passwords in credential manager; this could also cause the lockouts

Few more reasons:

A user has scheduled tasks on their PC, but have recently changed their password and failed to update the credentials associated with their scheduled tasks.

User receives Exchange emails on their phone, recently changed their PW, failed to update their phone.

User has logged in at a different PC, forgotten to log off, and has changed their PW since then.

A service running as a user on a PC or server, service user's PW was changed but never updated on the service.

Also get help from this earlier thread: http://slickdeals.net/f/1181735-solved-user-s-ad-account-keeps-locking-out-no-bad-passwords-or-lockouts-registering-in-netlogon

Have a look at this How-To article published by another community member detailing some common downloads and troubleshooting steps when dealing with issues like these:

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Identify the source of Account Lockouts in Active Directory:
https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

Hope this helps!
0
 

Author Comment

by:abcd ab01
ID: 41842296
Thanks everyone, and was able to resolve the issue after - running 4740 - 'cause they'll often tell you exactly which device is causing the lockout!
0
 
LVL 30

Expert Comment

by:Rich Weissler
ID: 41868064
Going with the solution the requester indicated helped -- Ganesamoorthy had also indicated looking at the event logs, and the final answer used built on that idea.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

661 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question