How to determine exactly what is locking out an Administrators account.

When accessing our servers it states "my" account is locked out.  I ran Netwrix Account lockout examiner and it shows me locked out.    How do I find out exactly "why" or "what" is locking me out?

I have other accounts I can log on as to run the tests
J.R. SitmanIT DirectorAsked:
Who is Participating?
 
Naveen SharmaCommented:
Check this blog which explains possible reasons of lockouts https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/

You can also try Microsoft's  LockoutStatus.exe tool or LepideAuditor to investigate the reason of lockouts. Here is how LepideAuditor troubleshoots account lockouts.
0
 
Mal OsborneAlpha GeekCommented:
Troll through the security event logs on your DCs, and you will see the story.  Event 4740 will be when the lockout happenens, and will contain some more information.

This can be caused by:
1. A machine left with a user logged on after a password change.
2. Hackers attacking a external port.  FTP servers, RDP servers, and SMTP servers are common ones; hackers try to attack by using "Administrator" as a username, and various common passwords. RDP is really back for this in my experience.
3. An actual heap of attempts to incorectly type in a password.
0
 
J.R. SitmanIT DirectorAuthor Commented:
There are no 4740 events.   There are also no repeated attempts to log in as Administrator.  As of this post, my account is not locked.

So I have no idea what caused it.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
Peter HutchisonSenior Network Systems SpecialistCommented:
Other causes of lockouts:
1. Check Services.msc of any servers and check if any service is using Administrator as a Logon account.
2. Check Task Scheduler of any servers, and check if any tasks are running under the Administrator user.

Ideally you should create application specific accounts to run services or tasks.
0
 
J.R. SitmanIT DirectorAuthor Commented:
@ Peter Hutchison, I will go through the services and task scheduler today.  I just wanted to say creating accounts for applications is an excellent idea.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Thanks.  I will go through these.
0
 
Naveen SharmaCommented:
Here is an another article to troubleshoot Account Lockout in Active Directory:
http://expert-advice.org/active-directory/how-to-troubleshoot-account-lockout-in-active-directory/

Get help from this article to detect source of Account Lockouts in Active Directory:
https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html
0
 
J.R. SitmanIT DirectorAuthor Commented:
I used Microsoft Account Lockout.  My account is being locked from MSTSC.  It started at 11:03 pm Wednesday and the last one was Thursday 6:25 am.  
It also happened to the Administrator account and my assistant.

It is currently unlocked, but will most likely lock again.  

I checked and do not see any of these accounts logged in remotely.  

We have two Citrix servers, but they reboot every night so that would disconnect anyone.  

Where would I look for an MSTSC computer inside the domain?
0
 
J.R. SitmanIT DirectorAuthor Commented:
Here is the exact message

4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Apr 19 10:58:06 2018,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  SPCALA292$   Account Domain:  LASPCA   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-2125141960-1604992391-1749447093-2367   Account Name:  jsitman    Additional Information:   Caller Computer Name: MSTSC
1
 
Naveen SharmaCommented:
Did you enable auditing?

You can audit logins, for detailed description refer to this article: https://www.lepide.com/blog/audit-successful-logon-logoff-and-failed-logons-in-activedirectory/

Do you have any mobile devices that are connecting to your network using your network credentials?

Viruses can also do this from your own computer.

Check any services that you may have set up under your login that may contain a password.  

This could be on ANY workstation or server that you have used. This article will explain Common Causes for Account Lockouts – Resolution and Troubleshooting Steps

Troubleshooting account lockout the PSS way:
https://blogs.technet.microsoft.com/instan/2009/09/01/troubleshooting-account-lockout-the-pss-way/

How to Trace the Source of a Bad Password and Account Lockout in AD:
http://expert-advice.org/active-directory/how-to-trace-the-source-of-a-bad-password-and-account-lockout-in-ad/

For further, you can also enable more advanced auditing, by enabling "Network Security: Restrict NTLM: Audit Incoming NTLM Traffic"  -  Enable Auditing for all accounts & enabling "Network Security: Restrict NTLM: Audit Incoming NTLM in this domain."   - Enable all for DC in the problematic user's site etc.
0
 
J.R. SitmanIT DirectorAuthor Commented:
Even though it looked like an internal problem it was coming from the outside trying to access my account.  The Microsoft tool was helpful.

Thanks to all.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.