Leadtheway
asked on
AD Account Lockout
Having an issue with a current user's admin account, It's locking on it's own consistently, using lockoutstatus tool, it appears to have bad password attempts on a couple of DC's, though the user says they aren't logging into them, Checking one of them I'm getting alot of audit failures..1 per minute with 4771 event ID. But I can't figure out what could possibly be failing and locking out, i checked services and its not being used for a service account on that machine.. Any Ideas?
Check scheduled tasks too
Consider that you can have a infected workstation in your network and virus is trying broke in administrator password.
Double check your network security
Double check your network security
ASKER
there are no scheduled tasks on the machine
One per minute is very low for a brute force, typically they are in the region of 1500 per minute
What is your lockout policy set as?
Did the user change their password recently? If so, maybe they have used that account to setup some odd piece of software/equipment using the old credentials and now it is failing. Maybe an app that queries AD in the background? Monitoring service on a device that is using old creds? Need more information to continue pointing in the right direction.
ASKER
4 attempts...i just wish there was an easy way to determine the source..it's an admin account so its only used when logging into servers. When i look at the event ID, its the Kerberos Authentication Service, and in details its:
TargetUserName admin.user
TargetSid S-1-5-21-3203867267-214722 020-326284 122-30132
ServiceName krbtgt/domain.LOCAL
when i powershell that SID, it resolves to the targetusername
TargetUserName admin.user
TargetSid S-1-5-21-3203867267-214722
ServiceName krbtgt/domain.LOCAL
when i powershell that SID, it resolves to the targetusername
Just have a look at this
https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx
https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx
a setting above 4 and below 10 could be an acceptable starting point for your organization.
A good recommendation for such a configuration is 50 invalid sign-in attempts,
Have you tried checking for event 4740 on the PDC? Then try to find the events correlating to that account. There has to be a failed authentication attempt from somewhere.
ASKER
ok searching for that on this DC i get:
Account That Was Locked Out:
Security ID: Domain\admin.User
Account Name: admin.User
Additional Information:
Caller Computer Name: KCC-ITDIR004
Account That Was Locked Out:
Security ID: Domain\admin.User
Account Name: admin.User
Additional Information:
Caller Computer Name: KCC-ITDIR004
What server is KCC-ITDIR004, a DC?
ASKER
actually I think that is the users PC
I'm going to assume it's a PC based on the name, even though I do not know your organization's convention. You need to start looking at that system.
Check for software on the computer, services, spiceworks, etc... Something is automatically polling AD with incorrectly saved creds. Did the user recently change this account password?
Can you confirm, please? If this is a server like UAG, Exchange, IIS etc. the solution is different
ASKER
it is indeed his pc
So check for anywhere that his password may be saved. Could be Outlook, could be some piece of software that has to be run a particular way, a scheduled task... right now, very wide open. However, we do at least know the system that the problem is originating form.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
even at 50, if there is a service running the bad password somewhere, wouldn't it still lockout
Not at 1 per minute. That is 15 per 15 minute observation window. 15 < 50 so will not lock. It will only lock at ~3-4 per minute
ASKER
ahh..i might go ahead and try that then
Remember that this should tie into a maximum password age of 30-41 days and password history.
A 8 characters (4 lower case letters, 2 special characters, 2 numbers) has 457,163,239,653,376 combinations so ~3-4 per minute is going to take a while and before they even scratched the surface, the password is changed again
A 8 characters (4 lower case letters, 2 special characters, 2 numbers) has 457,163,239,653,376 combinations so ~3-4 per minute is going to take a while and before they even scratched the surface, the password is changed again