Link to home
Create AccountLog in
Avatar of Salonge
Salonge

asked on

Windows account keeps getting locked out.

For some reason about a week ago, my Windows Domain account keeps getting locked out.  I am a Domain admin and I am not using this account anywhere else only on my personal computer.  This is happening multiple times a day. I thought it was in my profile, but I can't figure out what it may be.  I created a new profile and it still does it.

Avatar of Paul MacDonald
Paul MacDonald
Flag of United States of America image

A few possibilities here:
1) Someone trying to leverage the account against an Internet-facing service (trying to log into OWA or VPN as you),

2) Someone inside your network doing the same as (1),

3) Some product on the network that authenticates as you but has an old/bad password,

4) Some old device (laptop, cell phone) recently powered on and doing the same as (3).


Do the audit logs give you any additional information?

First off, set up an account with a fictional character and set the appropriate domain admin, enterprise admin, schema admin, and any others needed to that account.


Remove, _remove_, the Domain Admin group from your account.


That is a very bad practice.


Just put your AD User object into the local admin group of your computer.


Once that is done, change the password for your account from another computer than your day to day one. Also, change the password for the new domain account from a different computer.


You can right click and Run As Admin on any RSAT tools that you have installed if there's a need. Or, just start CMD or PowerShell elevated then start any needed consoles via there.

Good rule.of thumb:
1) have you recently changed your password?
2) do you remote RDP to any system where you may have left a session?
3) do you have a VPN that uses your domain credentials
4) do you have email that relies on your ad access?
5)web site
6) control keymgr
Dll for saved credentials.


Netwrix has anaccount lockout tool that help identify thes ource of lockout and may point out which issue needs a closer look.
Hi!

If you have another admin account, you can use that other admin account to troubleshoot the locked-out admin account using the following PowerShell script.

You will need to  replace "DOMAIN\LockedOutAdmin" with the actual username of the locked-out account.

By analyzing the security event logs on the domain controller, you can gather information about the account lockout events and the source of the issue.

$lockedOutAccount = "DOMAIN\LockedOutAdmin"  # Replace with the username of the locked-out account

$events = Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4740
    StartTime = (Get-Date).AddDays(-1)  # Adjust the time window if needed
} | Where-Object { $_.Properties[0].Value -eq $lockedOutAccount }

foreach ($event in $events) {
    $time = $event.TimeCreated.ToString('yyyy-MM-dd HH:mm:ss')
    $errorType = $event.Properties[1].Value
    $message = "{0} encountered {1} at {2}" -f $lockedOutAccount, $errorType, $time
    Write-Output $message
}

Open in new window

Avatar of Salonge
Salonge

ASKER

Once I run this script, how do I see the results?  The error code I am seeing is 4771 - 

Kerberos pre-authentication failed.

ASKER CERTIFIED SOLUTION
Avatar of Salonge
Salonge

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account