Active Directory
--
Questions
--
Followers
Top Experts
User account lockout - Server 2012R2
Last night, a user was locked out of our Active Directory domain. I unlocked him a few minutes later and all was well. However, I am having trouble finding why he was locked out. I see 1 entry in the security log where the PDC emulator role is for Event ID 4740 at 8:10PM. This points to the Caller Computer Name, which does in fact belong to the user.
The user reported he was working in our RDS server (same as all of our other users) and all of a sudden the Outlook window asking for username and password popped up and it kept popping up and he didn't understand why. This took place after 10PM PST. I do see entries for Event ID's 5152 (filtering platform packet drop) and 5157 (filtering platform connection) around 8:10PM, just seconds before the user was locked out. In one of those entries it says if the Kerberos ticket is malformed (possibly due to packet loss) that could cause an account lockout. I have our SOC looking into potential packet loss, other than that, I am at a loss as to what caused the account lockout.
I plan on connecting to his workstation to check for cached credentials, scheduled task, or services that may be using his domain user account. I will also be checking his workstation's application logs to try and correlate that with the account lockout. Any help is appreciated.
The user reported he was working in our RDS server (same as all of our other users) and all of a sudden the Outlook window asking for username and password popped up and it kept popping up and he didn't understand why. This took place after 10PM PST. I do see entries for Event ID's 5152 (filtering platform packet drop) and 5157 (filtering platform connection) around 8:10PM, just seconds before the user was locked out. In one of those entries it says if the Kerberos ticket is malformed (possibly due to packet loss) that could cause an account lockout. I have our SOC looking into potential packet loss, other than that, I am at a loss as to what caused the account lockout.
I plan on connecting to his workstation to check for cached credentials, scheduled task, or services that may be using his domain user account. I will also be checking his workstation's application logs to try and correlate that with the account lockout. Any help is appreciated.
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
I should add that this user connects remotely via a VPN client to a cloud based Active Directory.
What is your account lockout policy set to?
I would recommend you set it as the following otherwise, you are just going to troubleshoot accidental lockouts, malformed tickets forever and not brute-force attempts
https://technet.microsoft.com/en-us/library/cc671957(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx
I would recommend you set it as the following otherwise, you are just going to troubleshoot accidental lockouts, malformed tickets forever and not brute-force attempts
- Account lockout threshold 50
- Reset account lockout counter after 10 minutes
https://technet.microsoft.com/en-us/library/cc671957(v=ws.10).aspx
https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Thanks Shaun, our account lockout policy is set to lockout after 3 invalid attempts. Users must contact IT to have their account unlocked. Reset account lockout duration is 0. Reset PW after 30 minutes.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Thanks Shaun, our account lockout policy is set to lockout after 3 invalid attempts. Users must contact IT to have their account unlocked. Reset account lockout duration is 0. Reset PW after 30 minutes.A value this low will only keep biting you. A brute-force is thousands of bad logins per second, all this value is doing is creating a vulnerability to denial of service
Thank you for your assistance. This appears to be due to a cached credential that was stored on the users computer. This credential was out of date and so after removing it, we have not had the issue come back.
When a user logs in with their domain account, the client contacts the domain controller via Kerberos and requests a ticket granting ticket (TGT). If the user fails authentication, the domain controllers logs event ID 4771 or an audit failure instance 4768. The result code in either event specifies the reason for why authentication failed. Bad passwords and time synchronization issues trigger a 4771 or other authentication failures such as account expiration trigger a 4768 failure. These result codes are based on the Kerberos RFC 1510 and in some cases one Kerberos failure reason corresponds to several possible Windows logon failure reasons. In any case the only way to know the exact reason for the failure is to check logon event failure reason on the computer where the user is trying to logon from.
Else check "failed logons" through events under application events if you use third party applications for VPN i.e Event Viewer-> Windows Logs->Application Cisco
It’s even possible the server is forwarding events to a “subscribing” server. Check under event viewer for any "Subscriptions".
Centralizing your logs saves time and increases the reliability of your log data. Consider a centralizing your logs.
Else check "failed logons" through events under application events if you use third party applications for VPN i.e Event Viewer-> Windows Logs->Application Cisco
It’s even possible the server is forwarding events to a “subscribing” server. Check under event viewer for any "Subscriptions".
Centralizing your logs saves time and increases the reliability of your log data. Consider a centralizing your logs.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Active Directory
--
Questions
--
Followers
Top Experts
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.