Users locked out from AD
Hi Guys,
We have an issue where certain users are constantly locked out of Active Directory.
The lock-out event / request seems to be originating from the user's workstation, via their connection with the Exchange server.
Event viewer shows LogonType = 3
LogonProcessName = NtlmSSP
WorkstationName = xxxx
IpPort 50674
I've installed Wireshark on the Exchange server to monitor the network traffic upon log out, and it reports Exchange network traffic from the client the moment the account is locked out.
Any ideas will be appreciated,
wireshark.png
We have an issue where certain users are constantly locked out of Active Directory.
The lock-out event / request seems to be originating from the user's workstation, via their connection with the Exchange server.
Event viewer shows LogonType = 3
LogonProcessName = NtlmSSP
WorkstationName = xxxx
IpPort 50674
I've installed Wireshark on the Exchange server to monitor the network traffic upon log out, and it reports Exchange network traffic from the client the moment the account is locked out.
Any ideas will be appreciated,
wireshark.png
There is an easier way to deal with this
Download EventCombMT
Run it
Select lock out events from the menu, likelihood is they have left themselves logged in, you can also clear out the credential manager of any and all cached passwords. That could cause issues too.
Thanks
Alex
Download EventCombMT
Run it
Select lock out events from the menu, likelihood is they have left themselves logged in, you can also clear out the credential manager of any and all cached passwords. That could cause issues too.
Thanks
Alex
Use " Netwrix Account Lockout Examiner " will help
A starting point is my account lockout investigation process
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
netlogon logs also help you to find the source of lockout
http://www.windowstricks.i
http://www.windowstricks.i
Check IIS log files, scheduled task, mobile device and services / application which is running under this account with a wrong password. Here is an informative article which can help you to find the cause and source of account lockout.
Follow this article to troubleshoot account lockout issue in the Active Directory using Microsoft Account Lockout and Management Tools.
Did you enable NTLM logging?
Follow this article to troubleshoot account lockout issue in the Active Directory using Microsoft Account Lockout and Management Tools.
Did you enable NTLM logging?
ASKER
Hi Guys,
Thanks for all the help.
We downloaded & ran EventCombMT
Cleared the credential manager on the suspicious workstation
Switched off ActiveSync for the user in Exchange to prevent ActiveSync connections from unknown devices
Ran Netwrix Account Lockout Examiner
Also checked the NetLogon logs & IIS log files on Exchange
Most of the log-results pointed to the Exchange server's IP and showed "Bad Password"
Unfortunately none of these tools could tell us what the source was where the requests originated from, apart from the "Bad Password" events.
We gathered that it might be a network-printer where the user possibly entered his / her e-mail address, which is trying to connect to Exchange with the incorrect credentials.
Nevertheless, we changed the "Account Lockout Threshold" from 3 to 50
The users' account was no longer locked after changing the threshold.
Interestingly, after changing the lockout threshold to 50, we could see in the logs that the unknown source, tried again and again, sometimes for up to 20 retries
We had an area outage over the weekend, and since the electricity came back on, no further logon attempts "Bad Password" were reported.
Unfortunately we have to lower the "Account Threshold" again, as per audit instructions.
No idea how we will eventually find the culprit, should this reoccur.
Thanks for all the help.
We downloaded & ran EventCombMT
Cleared the credential manager on the suspicious workstation
Switched off ActiveSync for the user in Exchange to prevent ActiveSync connections from unknown devices
Ran Netwrix Account Lockout Examiner
Also checked the NetLogon logs & IIS log files on Exchange
Most of the log-results pointed to the Exchange server's IP and showed "Bad Password"
Unfortunately none of these tools could tell us what the source was where the requests originated from, apart from the "Bad Password" events.
We gathered that it might be a network-printer where the user possibly entered his / her e-mail address, which is trying to connect to Exchange with the incorrect credentials.
Nevertheless, we changed the "Account Lockout Threshold" from 3 to 50
The users' account was no longer locked after changing the threshold.
Interestingly, after changing the lockout threshold to 50, we could see in the logs that the unknown source, tried again and again, sometimes for up to 20 retries
We had an area outage over the weekend, and since the electricity came back on, no further logon attempts "Bad Password" were reported.
Unfortunately we have to lower the "Account Threshold" again, as per audit instructions.
No idea how we will eventually find the culprit, should this reoccur.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the possible solutions i've had to use are:
check logme in app if its installed and uninstall, also just recently i installed msoffice 365 as a test and it keeps locking my account up after running a spyhunter, and uninstalling the 365 trial version. Good luck! in the past, what i've done was changed the username and password.
check logme in app if its installed and uninstall, also just recently i installed msoffice 365 as a test and it keeps locking my account up after running a spyhunter, and uninstalling the 365 trial version. Good luck! in the past, what i've done was changed the username and password.
Are there third party (not outlook) tools installed that access to Exchange as well? (How about addons within outlook).
With lockout, I assume you mean that the Users Account is getting locked, because of too many logon's without providing the correct password. please check eventvwr on AD server.
Do they authenticate at the Exchange, I assume "not" IMAP or POP. If they do, check that account.?
They may have itunes installed an sync with their phone through that? (wrong password/user combo)