How to determine exactly what is locking out an Administrators account.

J.R. Sitman
J.R. Sitman used Ask the Experts™
on
When accessing our servers it states "my" account is locked out.  I ran Netwrix Account lockout examiner and it shows me locked out.    How do I find out exactly "why" or "what" is locking me out?

I have other accounts I can log on as to run the tests
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Troll through the security event logs on your DCs, and you will see the story.  Event 4740 will be when the lockout happenens, and will contain some more information.

This can be caused by:
1. A machine left with a user logged on after a password change.
2. Hackers attacking a external port.  FTP servers, RDP servers, and SMTP servers are common ones; hackers try to attack by using "Administrator" as a username, and various common passwords. RDP is really back for this in my experience.
3. An actual heap of attempts to incorectly type in a password.
J.R. SitmanIT Director

Author

Commented:
There are no 4740 events.   There are also no repeated attempts to log in as Administrator.  As of this post, my account is not locked.

So I have no idea what caused it.
Peter HutchisonSenior Network Systems Specialist

Commented:
Other causes of lockouts:
1. Check Services.msc of any servers and check if any service is using Administrator as a Logon account.
2. Check Task Scheduler of any servers, and check if any tasks are running under the Administrator user.

Ideally you should create application specific accounts to run services or tasks.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Check this blog which explains possible reasons of lockouts https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/

You can also try Microsoft's  LockoutStatus.exe tool or LepideAuditor to investigate the reason of lockouts. Here is how LepideAuditor troubleshoots account lockouts.
J.R. SitmanIT Director

Author

Commented:
@ Peter Hutchison, I will go through the services and task scheduler today.  I just wanted to say creating accounts for applications is an excellent idea.
J.R. SitmanIT Director

Author

Commented:
Thanks.  I will go through these.
Here is an another article to troubleshoot Account Lockout in Active Directory:
http://expert-advice.org/active-directory/how-to-troubleshoot-account-lockout-in-active-directory/

Get help from this article to detect source of Account Lockouts in Active Directory:
https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html
J.R. SitmanIT Director

Author

Commented:
I used Microsoft Account Lockout.  My account is being locked from MSTSC.  It started at 11:03 pm Wednesday and the last one was Thursday 6:25 am.  
It also happened to the Administrator account and my assistant.

It is currently unlocked, but will most likely lock again.  

I checked and do not see any of these accounts logged in remotely.  

We have two Citrix servers, but they reboot every night so that would disconnect anyone.  

Where would I look for an MSTSC computer inside the domain?
J.R. SitmanIT Director

Author

Commented:
Here is the exact message

4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Apr 19 10:58:06 2018,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  SPCALA292$   Account Domain:  LASPCA   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-2125141960-1604992391-1749447093-2367   Account Name:  jsitman    Additional Information:   Caller Computer Name: MSTSC
Did you enable auditing?

You can audit logins, for detailed description refer to this article: https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

Do you have any mobile devices that are connecting to your network using your network credentials?

Viruses can also do this from your own computer.

Check any services that you may have set up under your login that may contain a password.  

This could be on ANY workstation or server that you have used. This article will explain Common Causes for Account Lockouts – Resolution and Troubleshooting Steps

Troubleshooting account lockout the PSS way:
https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/

How to Trace the Source of a Bad Password and Account Lockout in AD:
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/

For further, you can also enable more advanced auditing, by enabling "Network Security: Restrict NTLM: Audit Incoming NTLM Traffic"  -  Enable Auditing for all accounts & enabling "Network Security: Restrict NTLM: Audit Incoming NTLM in this domain."   - Enable all for DC in the problematic user's site etc.
J.R. SitmanIT Director

Author

Commented:
Even though it looked like an internal problem it was coming from the outside trying to access my account.  The Microsoft tool was helpful.

Thanks to all.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial