Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Account Lockout: WHERE it comes from?

回答の候補 Account Lockout: WHERE it comes from?

  • Thursday, January 24, 2013 2:39 PM
     
     
    Sign In to Vote
    0

    Greetings,

    We are suffering from several users account lockouts on our domain, and we cannot find a solution.

    I've read most of the usually linked threads about this, such as this onethis one or this one, so PLEASE do not refer to them and tag it as a solution cause it is not.

    Our environment:

    Windows 2008 domain level (Win2008 R2 DCs), 2500 users, 3 DC (one of which is at a remoter site), and 13 RODC's.  A lot of users get locked frequently and most of the time, we are able to figure out where from, and a reset solves the normal issue.  But a few of them also get locked, among which the Domain Administrator, and we don't know why or from where.

    Users must change password every 45 days.  Lockouts don't necessarily happen right next after a password change.

    10 consecutive bad passwords bring out a lockout.

    I am investigating one user particularly.

    What is happening:

    • This user's account is being locked out frequently since early last week. There are no standard time frame; sometimes it's every 10 minutes, sometimes nothing during a day, sometimes once every two hours.
    • We have a SCOM custom monitor which gathers all the 4740 events from all DCs, and they are reported correctly. Of course, for these few users, the Caller computer name is empty.
    • I don't care WHY these lockouts can happen, I need to know WHERE they are originating.
    • Some people use Linux machines, smartphones, tablets, and various other possible devices.  This special user I'm working on, however, doesn't have any of these (he says...) and only connects to a Windows 7 laptop, and remotely on a Windows 2008 R2 SQL Server.
    • We used an external tool called Rebasoft, which allows to track some user's activity on the network. Unfortunately, for the moment it only tracks the "last seen" (IP and MAC-wise). Every time we check, the user's laptop IP and name is reported.
    • We have check everything I could think about on the PCs : Scheduled tasks, services, processes, and nothing unusual or using deprecated credentials is to be seen.
    • We have provided the user a new laptop with a brand fresh install of Win 7 Enterprise, which is deployed from an image used by ~500 people, and only THIS user suffers from this problem. And yes with the new laptop the problem arises again. And yes on Rebasoft tool, the new IP and name are reported.
    • I have downloaded and am using the ALtools suite; LockoutStatus.exe allows me to see from which DC the problem happens and almost live, I can see the "Bad Pwd Count" value growing from 0 to 10 (our lockout treshold) with refreshing All Dcs.
    • On Lockoutstatus.exe, the "Orig Lock" is the DC on which the lock is applied on the AD, but doesn't give the source computer.
    • Last Friday, nothing happened while the user had his laptop online and connected to the network. But today for instance, it's a lockout every 20 minutes, which drives us crazy.

    My thoughts on the issue:

    • I don't entirely trust the user who claims they have ever connected to a browser from some mobile device.  This mustn't be one of his own devices, maybe a colleague's one on which he tried to connect before his last password change, or whatever.
    • It may be of course a user with a similar login (we use 5-char account names, so among 2500 people, sometimes you have close accounts) trying to connect using wrong credentials and not caring / noticing.
    • All leads seem to point to the user's own laptop, I thought there were some kind of hidden process, taks or something, but as soon as a brand new/fresh PC is provided, the problem persists. This tends to indicate that it comes from elsewhere.

    My questions:

    • Is it possible that somehow, an AD account gets "corrupted" and auto-locks, wherever it logs from on the Domain ?  Recreating this user's account would be very tedious PLUS, if we're in the case of a mobile or linux trying to use the user name, a new SID won't change anything and the problem would persist.  Plus, the lockout would thus be happening on a regular Windows machine, whose name should appear in the Caller Computer name of the id4740 event.
    • HOW ON EARTH can I get a source IP / MAC / whatever, from an account lockout?  I KNOW the excuse from Microsoft is "if the computer is impossible to be identified through KDCetc., we cannot guarantee that there isn't an IP spoofing so the caller computer name of the id4740 event is empty".  I don't care if it is a spoof or not, I want an IP or MAC to investigate!!

    Again, I have read all the other topics on the matter so please don't copy-paste the same standard answers.

    I have used ALTools, I use SCOM, I checked eventlogs, I even use third-party software. I just need to know HOW I can be sure from where the account lockout originates, and also if it is possible that an AD account on a fresh machine, gets auto-locked for a reason I don't know.

    Bix

     

All Replies

  • Friday, January 25, 2013 3:46 AM
     
     
    Sign In to Vote
    0

    you can use active directory account lockout management tools for getting some help

    http://www.microsoft.com/en-us/download/details.aspx?id=18465

    Darshana Jayathilake

     
  • Friday, January 25, 2013 8:51 AM
     
     
    Sign In to Vote
    0
    Thanks for your answer but it looks like you didn't read my topic thoroughly, so allow me to quote myself:

    I've read most of the usually linked threads about this, such as this onethis one or this one, so PLEASE do not refer to them and tag it as a solution cause it is not.

    (...)

    • I have downloaded and am using the ALtools suite; LockoutStatus.exe allows me to see from which DC the problem happens and almost live, I can see the "Bad Pwd Count" value growing from 0 to 10 (our lockout treshold) with refreshing All Dcs.
    • On Lockoutstatus.exe, the "Orig Lock" is the DC on which the lock is applied on the AD, but doesn't give the source computer.

    (...)

    Again, I have read all the other topics on the matter so please don't copy-paste the same standard answers.

    I have used ALTools, I use SCOM, I checked eventlogs, I even use third-party software. I just need to know HOW I can be sure from where the account lockout originates, and also if it is possible that an AD account on a fresh machine, gets auto-locked for a reason I don't know.


    Bix

     
  • Friday, January 25, 2013 5:40 PM
     
     Proposed Answer
    Sign In to Vote
    0

    Well there are many reasons for an account lockout problem. most of them caused by mistyping the passwords, however it is pretty clear that brute forcing the password can be a reason as well. Also you have to verify your systems and see if they are infected with "Conficker Worm". So I suggest you check the following options to determine which point is causing the problem:

    • Password Mistypes
    • Conficker Worm
    • Services which is configured with wrong passwords. (Services.msc)
    • Network mapped drives with wrong passwords.

    I experienced a similar problem with Operation Manager and Active Directory. At last I managed to find the problem root and I found out the OM services in Services.msc is configured with wrong passwords and they were trying to authenticate themselves with those passwords.

    Regards.

    Mahdi Tehrani | Loves Powershell Spreadis Twitter LinkedIn Youtube

     
  • Friday, January 25, 2013 7:56 PM
     
     Proposed Answer
    Sign In to Vote
    0

    I am assuming the user changes his password after every lockout? 

    Also, what kind of router/firewall does your office have?  Does it have any kind of IDS or packet inspection on it?  Or does any device on your network do any kind of packet sniffing?  If not, you could try putting wireshark on both the laptop and server and verify that the only packets containing this user's credentials are coming only from his laptop and/or SQL usage.

     
  • Saturday, January 26, 2013 12:43 PM
     
     
    Sign In to Vote
    0

    Has the user saved his password in the machine? IE, any browser, mail app etc.

    What if you create a new user, and dont change the password. Will this again get locked frequently?

     
  • Saturday, January 26, 2013 2:11 PM
     
     
    Sign In to Vote
    0

    Check Credentials manager on the machine. Also delete cached passwords in IE and in the end don't believe the user when he says that he didn't use mobile devices :). It might be that the user has configured email on one of the devices.

    These are the most frequent reasons for account lockouts.

     
  • Wednesday, February 06, 2013 4:32 PM
     
     
    Sign In to Vote
    0

    Thank you all for your answers and sorry for the late reaction, I've been sick lately, couldn'g get to this sooner.. :s

    So:

    • @Mahdi Tehrani:  I have supervised the user myself and even gave him a new easy password; mistyping is not the issue. I checked the services.msc also, and nothing at all is running using the user's account (I ensured to display all the services by all users).  Network drives could have been an issue as well, but then we had the user connect on a brand fresh new computer and the problem happened again (with zero network drive mapped, that is).   Confircker worm I haven't tested yet, but as I told you it is on a fresh computer, the other computer being shut down. We have a corporate Forefront running, with latest patches and running well, I suppose Conficker would have been spotted somewhere.  Anyway thanks for the lead, I'll be sure to run a scan session on the user's PC just to be sure.
    • @icsi-jw:  we tried almost every possibility:  have the user
    • @ArnavSharma : weirdest thing is this new laptop test : the user connected to a brand new fresh install, where nothing was cahced or saved, and the problem chain-happened.  I'll have the user test with another account (domain as they have to use domain ressources) if they're up for it.
    • @ Natty976: Excellent suggestion. I have checked the credential manager and nothing suspicious is to be seen. Cached oasswords in IE is another good suggestion, but the user had a brand new laptop and the problem happened, there was no cached password yet. As for the mobile devices,   clearly don't believe the user but I have no sufficient authority to search them ;)

    So, a few more things to try and I'll let you guys know, thanks for your suggestions anyway!

    Bix

     
  • Wednesday, February 06, 2013 7:39 PM
     
     Proposed Answer
    Sign In to Vote
    1

    Hi,

    Typically when I have seen this in the past we had to find the originating machine for the problem.  The lockout status application will tell you the DC which is being used by the locking behavior.  You will need to inspect that DCs Event logs to see if you can find a related entry for the user and source machine.  If you do not, then you might want to consider changing the parameters on what is audited on DCs.  As you and others have indicated above, there are many things that can lock an account and finding the source is crucial.

    If this does not help and you suspect that it might be a device attaching to their mailbox (assuming Exchange), then temporarily disable ActiveSync on the mailbox and see if the problem goes away.

    HTH ~ fr3dd

    fr3dd