Account lockouts
I recently had to change my password because of our password policy in effect. I changed my settings on my mobile phone as well. My AD account is getting locked out every 5 minutes and I cannot see why. I don't have any services or applications running under my user account (that I know of). I deleted anything that was stored in my Credential Manger. I ran a utility that shows me what computer is locking my account but I cannot see why. It is one of our DCs that i may have RDPed to and never logged off. Is that possible?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jmac44
Check the task scheduler? You may have a task running that you entered with those creds.
ASKER
Thanks for the info. I did check task scheduler and nothing there was running under my user account. I had changed my active sync settings already. This is the third time I have had to change my password and never had this problem until now. I installed the Netwrix utility and enabled the Failure Audit Logon on the domain controller default policy. When I run the utility and select the user and target DC, it tells me I need to enable Failure Audit Logon on the target workstation.
what is the event viewer on the domain controller telling you? do you have any NETLOGIN errors? If so can you post them or any others you think might be useful and also from the workstation.
ASKER
In the event viewer under security logs I am getting event ID 4656 from source Microsoft Windows, Task Category File System. See attached
-Security_AuditFailure_EventID_4656.txt
-Security_AuditFailure_EventID_4656.txt
Those events come from audit Failure being enabled and show only the symptom and not the cause. You can turn those on or off by:
auditpol /set /subcategory:"Handle Manipulation" /failure:disable or enable
This maybe a long shot but reset the password (you can use the same one) in AD and then try un-joining from the domain and then re-join. To re-establish the trust relationship on the machine.
auditpol /set /subcategory:"Handle Manipulation" /failure:disable or enable
This maybe a long shot but reset the password (you can use the same one) in AD and then try un-joining from the domain and then re-join. To re-establish the trust relationship on the machine.
ASKER
Well at this point I am willing to try anything as this has been going on for three days now and has really been impacting. I tried running the utility from Netwrix but it is not helping. All it shows is that I am locked out but not why even though it is supposed to..
ASKER
That did not work either. Is there something I can run that will show what is locking out my account?
If your absolutely sure it's coming from that machine and it seems you are. Maybe you should try doing a system restore from a point when there was no problems or do a system repair from disk else if those two thing don't work reload the OS as last resort. Obviously you can't have the machine online and it's pins and needles trying to find the culprit. If it were me at this point I would work in that direction making the OS reinstall the last resort.
ASKER
OK. I will try that. Thanks for the help
ASKER
That did not work either. The odd thing is I was able to reset my AD password to what it was and I am still having the issue.
what part didn't work?
ASKER
I still get locked out.
did you do a system restore or did you do a repair or did you do an OS reload?
ASKER
No, I did a system restore. I selected a restore point to a time before I had the problem. Also, I tried changing my login name and still got locked out. I shut down my workstation and worked off my laptop to see if it was something on my workstation causing the issue. It still locked after about 10 min.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. Let me try that. Thanks for help.
Hi,
Try it using this PowerShell script:
it will list any Security events that is belongs to your username, so that you know where about your AD user account is being used.
let us know here where else your account is being used.
Try it using this PowerShell script:
it will list any Security events that is belongs to your username, so that you know where about your AD user account is being used.
$LogonType = @{
[uint32]2 = 'Interactive'
[uint32]3 = 'Network'
[uint32]4 = 'Batch'
[uint32]5 = 'Service'
[uint32]7 = 'Unlock'
[uint32]8 = 'NetworkCleartext'
[uint32]9 = 'NewCredentials'
[uint32]10 = 'RemoteInteractive'
[uint32]11 = 'CachedInteractive'
}
Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(userAccountControl:1.2.840.113556.1.4.803:=8192))" | ForEach-Object {
"Processing $($_.DNSHostName) ..." | Write-Host
Get-WinEvent -ComputerName $_.Name -FilterHashTable @{LogName="Security"; ID=4624; Data="YourUserName"} -MaxEvents 200 | ForEach-Object {
New-Object PSObject -Property ([ordered]@{
MachineName = $_.MachineName
TimeCreated = $_.TimeCreated
User = $_.Properties[5].Value
Domain = $_.Properties[6].Value
LogonType = $_.Properties[8].Value
LogonTypeString = $LogonType[$_.Properties[8].Value]
SourceIP = $_.Properties[18].Value
SourceName = (Resolve-DnsName -Name $_.Properties[18].Value -ErrorAction SilentlyContinue).NameHost
Keywords = $_.KeywordsDisplayNames -join ";"
})
}
} | Export-Csv -Path C:\TEMP\EventLogged.csv -NoTypeInformation -UseCulturelet us know here where else your account is being used.
ASKER
OK thanks. Also we just got Ad Manager and AdAudit Plus. From what I understand you can use it to track account lockouts. When I look at the source IP of the lockout it is showing a looback address, 127.0.0.1. How would track that down?
ASKER
I ran the script as is and got this message "No events were found that match the specified selection criteria" . Are there some fields in the script I need to change?
ASKER
OK I finally found my problem. Instead of creating a service account to use, I used my ad account to enable DNS dynamic registration in my IPV4 DHCP properties.
Darn! guess you won't being doing that again. Glad you found it!