users are being lock on AD.

alonig1
alonig1 used Ask the Experts™
on
This is the second time that users are coming in the morning with their users locked, I unlocked them from AD and they are good to go.

But , I thought first time it was a one time thing, but now it's reoccurring again.

Where can I check why is that happening?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
systechSenior Technical Lead
Commented:
Hi,

Us the Account Lockout tool from MS (ALTools.exe)  https://www.microsoft.com/en-in/download/details.aspx?id=18465 which should help you to find out the reason.
Jane UpdegraffSr. Systems Administrator
Commented:
you need to go out and get the AD lockout tool from Microsoft https://www.microsoft.com/en-gb/download/details.aspx?id=15201 or maybe if that one is too unwieldy you might try the one from netwrix here https://www.netwrix.com/account_lockout_examiner.html ....

but basically both are going to do the same thing, determine which domain controller processed the last failed login in each case, and the lockout event on that domain controller (look at the time that appears in the tool you chose) those events tell you how the account was locked and from what PC or server. Sometimes it's something simple like a scheduled task that is using an old password but sometimes it means that someone else is trying to login to the network as that user for not so great purposes.
Jane UpdegraffSr. Systems Administrator

Commented:
yup radhakrishnan is correct also. That's actually the one i was trying to link in my first link for the microsoft tool.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018
Commented:

Author

Commented:
now that I unlocked the users, I can't see anything.

how do I find the cause of the locking.

Author

Commented:
it showed that the DC is locked.
systechSenior Technical Lead
Commented:
Hi,

Did you checked the security event logs? worth to run a virus scan on your DC's and the machines which shows in the tool or in security event logs.
Check for event 4640 on your DC (Windows Server 2012 and newer). That will tell you the workstation or server session (or internet proxy) that locked the account.
Tech Lead
Commented:
Since the account lockout issue could be caused by many factors, such as Programs, Service accounts, Low bad password threshold AD replication and Redundant credentials. Here is an another article to track and troubleshoot User Account Lockouts with this solution. Else, use Account Lockout Status tools from Microsoft.

Is it also possible that the user has his smartphone trying to connect to the network causing this?

Processes on the client computers.

Virus can do that kind of activity.

Another informative article which lets you how to identify the source of Account Lockouts in Active Directory: https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html

You need to start looking for applications/services that might be running using an administrator account. And you could follow the article as below to track down the application/service: https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/

Hope this helps!
E ATech Lead

Commented:
Please post back if you have any query.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial