Exchange Server Locking AD Accounts
Good afternoon all,
We have an on premise 2013 Exchange server that is randomly locking various user accounts every 30 minutes. The interesting thing is that it is only effecting three staff at a time. After a week to two weeks it will resolve itself and start locking out three entirely different staff. Below are issues we have experienced with staff authenticating against our Exchange server in the past but are not currently the issue with these staff.
1. We have staff the use both active sync and OWA. The staff that are currently having issues do not have active sync nor OWA enabled for their mailboxes.
2. Staff changing AD credentials and not updating their Active Sync phones or tablets etc. As I mentioned above, the staff currently getting locked out have not changed their passwords nor do they have Active Sync devices at all.
3. Cached old passwords in Credential Manager. The effected staff have no cached passwords in Credential Manager.
I cannot for the life of me find is locking their accounts, All I know with certainty is that it is due to failed authentication against our email server with bad password attempts.
Thanks for your time, Enjoy your day!
We have an on premise 2013 Exchange server that is randomly locking various user accounts every 30 minutes. The interesting thing is that it is only effecting three staff at a time. After a week to two weeks it will resolve itself and start locking out three entirely different staff. Below are issues we have experienced with staff authenticating against our Exchange server in the past but are not currently the issue with these staff.
1. We have staff the use both active sync and OWA. The staff that are currently having issues do not have active sync nor OWA enabled for their mailboxes.
2. Staff changing AD credentials and not updating their Active Sync phones or tablets etc. As I mentioned above, the staff currently getting locked out have not changed their passwords nor do they have Active Sync devices at all.
3. Cached old passwords in Credential Manager. The effected staff have no cached passwords in Credential Manager.
I cannot for the life of me find is locking their accounts, All I know with certainty is that it is due to failed authentication against our email server with bad password attempts.
Thanks for your time, Enjoy your day!
Try logging SMTP receive connectors, and taking a look at the resultant text file. It is possible that someone is trying to Authenticate and relay as those users.
Instructions here: https://docs.microsoft.com/en-us/exchange/protocol-logging-exchange-2013-help
Instructions here: https://docs.microsoft.com/en-us/exchange/protocol-logging-exchange-2013-help
ASKER
Mal Osborne,
Thank you for this. Though i already had logging enabled on our SMTP receive connector, i never knew it showed information regarding failed authorization attempts. After looking into the logs, the failed attempts are currently coming from IP addresses registered to Germany and Iran.
These logs coincide with my Active Directory logs as far as dates and times when staff accounts are being locked. Though I am not much of a server guy, I am a Networking guy. After various security safe guards I implemented in my networking appliances, these staff accounts have not yet locked. I'll keep my fingers crossed. Thank you for pointing me in the right direction.
Thank you for this. Though i already had logging enabled on our SMTP receive connector, i never knew it showed information regarding failed authorization attempts. After looking into the logs, the failed attempts are currently coming from IP addresses registered to Germany and Iran.
These logs coincide with my Active Directory logs as far as dates and times when staff accounts are being locked. Though I am not much of a server guy, I am a Networking guy. After various security safe guards I implemented in my networking appliances, these staff accounts have not yet locked. I'll keep my fingers crossed. Thank you for pointing me in the right direction.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See https://www.experts-exchange.com/questions/29152952/Users-randomly-disconnecting-from-Exchange-2019-and-unable-to-reconnect-for-a-period-of-time.html