Link to home
Start Free TrialLog in
Avatar of Leadtheway
LeadthewayFlag for United States of America

asked on

AD Account Lockout

Having an issue with a current user's admin account, It's locking on it's own consistently, using lockoutstatus tool, it appears to have bad password attempts on a couple of DC's, though the user says they aren't logging into them, Checking one of them I'm getting alot of audit failures..1 per minute with 4771 event ID.  But I can't figure out what could possibly be failing and locking out, i checked services and its not being used for a service account on that machine.. Any Ideas?
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Check scheduled tasks too
Consider that you can have a infected workstation in your network and virus is trying broke in administrator password.
Double check your network security
Avatar of Leadtheway

ASKER

there are no scheduled tasks on the machine
One per minute is very low for a brute force, typically they are in the region of 1500 per minute
What is your lockout policy set as?
Avatar of Sean Ohlrich
Sean Ohlrich

Did the user change their password recently?  If so, maybe they have used that account to setup some odd piece of software/equipment using the old credentials and now it is failing.  Maybe an app that queries AD in the background?  Monitoring service on a device that is using old creds?  Need more information to continue pointing in the right direction.
4 attempts...i just wish there was an easy way to determine the source..it's an admin account so its only used when logging into servers.  When i look at the event ID, its the Kerberos Authentication Service, and in details its:

TargetUserName admin.user
  TargetSid S-1-5-21-3203867267-214722020-326284122-30132
  ServiceName krbtgt/domain.LOCAL

when i powershell that SID, it resolves to the targetusername
Just have a look at this

https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx

a setting above 4 and below 10 could be an acceptable starting point for your organization.
A good recommendation for such a configuration is 50 invalid sign-in attempts,
Have you tried checking for event 4740 on the PDC? Then try to find the events correlating to that account. There has to be a failed authentication attempt from somewhere.
ok searching for that on this DC i get:
Account That Was Locked Out:
      Security ID:            Domain\admin.User
      Account Name:            admin.User

Additional Information:
      Caller Computer Name:      KCC-ITDIR004
What server is KCC-ITDIR004, a DC?
actually I think that is the users PC
I'm going to assume it's a PC based on the name, even though I do not know your organization's convention. You need to start looking at that system.
Check for software on the computer, services, spiceworks, etc...  Something is automatically polling AD with incorrectly saved creds.  Did the user recently change this account password?
Can you confirm, please? If this is a server like UAG, Exchange, IIS etc. the solution is different
it is indeed his pc
So check for anywhere that his password may be saved. Could be Outlook, could be some piece of software that has to be run a particular way, a scheduled task... right now, very wide open. However, we do at least know the system that the problem is originating form.
ASKER CERTIFIED SOLUTION
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
even at 50, if there is a service running the bad password somewhere, wouldn't it still lockout
Not at 1 per minute. That is 15 per 15 minute observation window. 15 < 50 so will not lock. It will only lock at ~3-4 per minute
ahh..i might go ahead and try that then
Remember that this should tie into a maximum password age of 30-41 days and password history.
A 8 characters (4 lower case letters, 2 special characters, 2 numbers) has 457,163,239,653,376 combinations so ~3-4 per minute is going to take a while and before they even scratched the surface, the password is changed again