While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.
AD Account lockout
I have a user that is getting repeatedly locked out of his Active Directory account. I have checked his mobile phone and removed and re-added the exchange account with the correct credentials. I have run rundll32.exe keymgr.dll, KRShowKeyMgr -- and removed all cached credentials. I have deleted the cached passwords from Internet Explorer. I have checked for any mapped drives and I have removed and re-added the Outlook profile.
I h ave also downloaded and ran the lockoutexaminer. This shows the orig. lock as one of our domain controllers.
I have checked the security event log on the DC for event 4740 and it shows the lockout and the caller computer name is our Exchange server.
The lockouts started happening after the last password change. I also tried changing the password back to the original password,but that did not help either
The lockout appears to occur at regular 15 minute intervals.
Is there anything else I can check to find the source of the account lockout?
Thanks
I h ave also downloaded and ran the lockoutexaminer. This shows the orig. lock as one of our domain controllers.
I have checked the security event log on the DC for event 4740 and it shows the lockout and the caller computer name is our Exchange server.
The lockouts started happening after the last password change. I also tried changing the password back to the original password,but that did not help either
The lockout appears to occur at regular 15 minute intervals.
Is there anything else I can check to find the source of the account lockout?
Thanks
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Perhaps searching the IIS logs on your Exchange server will point you in the right direction.Perhaps he has an iPad or some other thing configured and forgot. I would search the logs for his logon name and see what is trying to use ActiveSync.
Thanks Shaun.
I ran the event comb but I didnt get any results. I am checking the rest of the solutions in your article.
I ran the event comb but I didnt get any results. I am checking the rest of the solutions in your article.
Also these are possibilities about lockout issue,
-Mapped network drives
-Logon scripts that map network drives
-RunAs shortcuts
-Accounts that are used for service account logons
-Processes on the client computers
-Programs that may pass user credentials to a centralized network program or middle-tier application layer
-Active sync devices (cell phone,etc..)
How to identify the source of Account Lockouts in Active Directory:
https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
What are the common root causes of account lockouts and do I resolve them:
https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/
Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Hope this helps!
-Mapped network drives
-Logon scripts that map network drives
-RunAs shortcuts
-Accounts that are used for service account logons
-Processes on the client computers
-Programs that may pass user credentials to a centralized network program or middle-tier application layer
-Active sync devices (cell phone,etc..)
How to identify the source of Account Lockouts in Active Directory:
https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
What are the common root causes of account lockouts and do I resolve them:
https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/
Trace the source of a bad password and account lockout in AD:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
Hope this helps!
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial
use PsExec on the users workstation with the -S switch to run under the system context the run the command: cmdkey /list
One other thing you can look at is his Exchange account (in the EAC). If you select his account, you can see Mobile Devices on the right side. Clicking details will tell you if he has more than one device connected. Since you indicated that the lockout event indicated the Exchange server, you already have all the detail any scripts I use will tell you. From this point, you have to follow the clues.
You could also try to install Network Monitor on your DC's unlock the account then start the captures as a last resort
Shaun, I have enabled auditing on the client workstation and auditing is turned on for the DC and Exchange servers
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange
From novice to tech pro — start learning today.
-
Microsoft ApplicationsCertification: MCSE Microsoft Certified Systems Engineer - Identity … 440 lessons
-
IT AdministrationCertification: ISCAP Information Systems Certification and Accreditati… 16 lessons
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get this solution by purchasing an Individual license!
Start your 7-day free trial.
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html