Track down why a user account is being locked
We have an AD user account that keeps getting locked. The event viewer log shows it from a computer named 'Workstation'. We have no Workstation in AD/DNS and I can't ping it from a few different computers on different networks. I used a tool named Account Lockout / LockoutStatus.exe that shows all the DCs in the domain. Two of them, one being the PDC, show a last bad password entry of just a few hours ago and they all show the account as locked.
Any ideas on finding out what is causing this or how to find an IP or other relevant information about the computer named 'Workstation' is appreciated.
Any ideas on finding out what is causing this or how to find an IP or other relevant information about the computer named 'Workstation' is appreciated.
ASKER
Will do, Shaun.
Thanks
Thanks
ASKER
Did 1 and 2.
3.1 - still running
3.2 I mentioned in my question - found the account locked all DCs original lock was the PDC
3.3 showed the caller machine name as Workstation and DC shown is the PDC
4.1 - PS I didn't run - kept getting warning about running it eventhough I chose to run it (R option)
4.1 NetWrix got a DC and an old exchange server plus an IP I am not sure of (looking into it)
4.2 Ad Audit caller user name is the PDC, caller machine name is Workstation, DC is the PDC
-- get this error when clicking details - Caller Machine is not part of any configured domain(Caller Machine Name: WORKSTATION)
Did nothing after this step
3.1 - still running
3.2 I mentioned in my question - found the account locked all DCs original lock was the PDC
3.3 showed the caller machine name as Workstation and DC shown is the PDC
4.1 - PS I didn't run - kept getting warning about running it eventhough I chose to run it (R option)
4.1 NetWrix got a DC and an old exchange server plus an IP I am not sure of (looking into it)
4.2 Ad Audit caller user name is the PDC, caller machine name is Workstation, DC is the PDC
-- get this error when clicking details - Caller Machine is not part of any configured domain(Caller Machine Name: WORKSTATION)
Did nothing after this step
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, Learnctx. The user in question runs the development department and does have a Mac. I will reach out to him.
Thanks again.
Thanks again.
ASKER
user has iPhone, iPad, MacBook. Researching further, I found an on-prem exchange server with Audit Failures event ID 4625 (two of them back-to-back. The first had a logon type of 3 while the second had a logon type of 8. Both had the same network info (Workstation name, source network address, and source port). The more recent log entry had the w3wp.exe as the caller process name. Found that to be related to IIS. Opened the IIS logs and found multiple entries for this user with AppleExchangeWebServices/3
He removed his email account from his iPhone, iPad, and his MacBook (outlook). He has not been locked out since when it was occurring a few time a day.
He removed his email account from his iPhone, iPad, and his MacBook (outlook). He has not been locked out since when it was occurring a few time a day.
Excellent. Not really sure why Mac's present as 'Workstation', but always the first thing I check now.
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html