users are being lock on AD.

This is the second time that users are coming in the morning with their users locked, I unlocked them from AD and they are good to go.

But , I thought first time it was a one time thing, but now it's reoccurring again.

Where can I check why is that happening?
LVL 1
alonig1Asked:
Who is Participating?
 
Ajit SinghCommented:
Since the account lockout issue could be caused by many factors, such as Programs, Service accounts, Low bad password threshold AD replication and Redundant credentials. Here is an another article to track and troubleshoot User Account Lockouts with this solution. Else, use Account Lockout Status tools from Microsoft.

Is it also possible that the user has his smartphone trying to connect to the network causing this?

Processes on the client computers.

Virus can do that kind of activity.

Another informative article which lets you how to identify the source of Account Lockouts in Active Directory: https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html

You need to start looking for applications/services that might be running using an administrator account. And you could follow the article as below to track down the application/service: https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/

Hope this helps!
0
 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

Us the Account Lockout tool from MS (ALTools.exe)  https://www.microsoft.com/en-in/download/details.aspx?id=18465 which should help you to find out the reason.
0
 
Jane UpdegraffSr. Systems AdministratorCommented:
you need to go out and get the AD lockout tool from Microsoft https://www.microsoft.com/en-gb/download/details.aspx?id=15201 or maybe if that one is too unwieldy you might try the one from netwrix here https://www.netwrix.com/account_lockout_examiner.html ....

but basically both are going to do the same thing, determine which domain controller processed the last failed login in each case, and the lockout event on that domain controller (look at the time that appears in the tool you chose) those events tell you how the account was locked and from what PC or server. Sometimes it's something simple like a scheduled task that is using an old password but sometimes it means that someone else is trying to login to the network as that user for not so great purposes.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Jane UpdegraffSr. Systems AdministratorCommented:
yup radhakrishnan is correct also. That's actually the one i was trying to link in my first link for the microsoft tool.
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
1
 
alonig1Author Commented:
now that I unlocked the users, I can't see anything.

how do I find the cause of the locking.
0
 
alonig1Author Commented:
it showed that the DC is locked.
0
 
Radhakrishnan RSenior Technical LeadCommented:
Hi,

Did you checked the security event logs? worth to run a virus scan on your DC's and the machines which shows in the tool or in security event logs.
0
 
ferraristaCommented:
Check for event 4640 on your DC (Windows Server 2012 and newer). That will tell you the workstation or server session (or internet proxy) that locked the account.
0
 
Ajit SinghCommented:
Please post back if you have any query.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.