none
User Account lockout everyday windows 7 windows 2008 r2

    Question

  • Hi,

    We a user who's account keep locking out everyday.

    I have enable the Netlogon logging on PDC and other Server's following this article http://support.microsoft.com/kb/109626

    I have used http://www.microsoft.com/en-us/download/details.aspx?id=18465 to troubleshoot where the account is being lockout from.

    When I run LockoutStatus.exe to see which DC locked the account it tells me PDC has lock the user account.

    When I check PDC netlogon log it was tell me because of DC2 asked. When I check DC2 netlogon it tells me that RSA Server ask to lock this account. 

    When I check the netlogon on RSA Server its not tell me anything.

    Is they anyway I can find out why the account is locking out.

    I know what is causing this account to lock out but I can't figure it out how to find this device. As far I know its the Iphone or Ipad which is causing this account to lock out.


    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          30/08/2012 07:23:29
    Event ID:      4740
    Task Category: User Account Management
    Level:         Information
    Keywords:      Audit Success
    User:          N/A
    Computer:      PDC
    Description:
    A user account was locked out.

    Subject:
    Security ID: SYSTEM
    Account Name: PDC$
    Account Domain: DOMAIN
    Logon ID: 0x3e7

    Account That Was Locked Out:
    Security ID: DOMAIN\USER
    Account Name: DOMAIN

    Additional Information:
    Caller Computer Name:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328}" />
        <EventID>4740</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>13824</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8020000000000000</Keywords>
        <TimeCreated SystemTime="2012-08-30T06:23:29.116920400Z" />
        <EventRecordID>3364953631</EventRecordID>
        <Correlation />
        <Execution ProcessID="608" ThreadID="6100" />
        <Channel>Security</Channel>
        <Computer>PDC.DOMAIN.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="TargetUserName">USER</Data>
        <Data Name="TargetDomainName">
        </Data>
        <Data Name="TargetSid">S-1-5-21-284166382-85745802-1543857936-2058</Data>
        <Data Name="SubjectUserSid">S-1-5-18</Data>
        <Data Name="SubjectUserName">PDC$</Data>
        <Data Name="SubjectDomainName">DOMAIN</Data>
        <Data Name="SubjectLogonId">0x3e7</Data>
      </EventData>
    </Event>
    • Edited by LalaJee Thursday, August 30, 2012 7:06 AM more details
    Thursday, August 30, 2012 7:05 AM

Answers

  • I have already tried Netwrix tool which was not a help at all. 

    I have followed http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx but still I got to know where. I can't run a trace on user PC because I dont know which PC is locking the account.

    Can you use tool like Netmon/Wireshark to monitor the traffic, it might provide you headway towards identification of the problem.



    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by LalaJee Tuesday, September 04, 2012 7:17 AM
    Thursday, August 30, 2012 9:57 AM
    Moderator
  • 1. Netlogon logging is not enough. Pleaes also enable Keberos logging.
    2. Event 4740 is just the Lockout event, it's also not enough for tracing Lockout source. Suppose the last authentication attempt was from PC A, while the previous bad attempts were from PC B, then it will be useless troubleshooting on PC A.

    So, according to your pwd policy, (for example 10 bad password lockout), check the previous authentication one by one, if they were from a same source, you could determine the source (suppose it's RSA), you could go on working on that one and check its security logs.

    Filtering the events using (529, 644, 675, 676, and 681), adding 4096 for 2008+

    3.The account name is User? what's the account used for? a service account? As it will be inconvenient to troubleshooting account lockout issue via forum, you could choose to open up a ticket to CTS AD team, it will be more efficient.

    Thanks, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by LalaJee Tuesday, September 04, 2012 7:16 AM
    Friday, August 31, 2012 4:11 PM
  • After activating netlogon logs on servers I found which server was the one which was locking the account. On that server I have activated Keberos logging as per Brian recommendation and running packet capture on server. It gave me Mac Address of the device which was locking this account. Then I found out which device is it which was Apple Inc. After I sent email to all of the user asking them for mac address of the Iphone and Ipad. One of the user came back saying this mac address belongs to my device. I check the device but still couldn't find any details of user on. I just reset full device.

    Now its been a day and user account has not been locked out yet. I'm hoping this has fix the problem for me now.

    Tuesday, September 04, 2012 6:52 AM

All replies

  • I guess that is so far Windows can give you traces, contact RSA so see if there is any additional loging options in the RSA product - hopefully there is a mapping between devices and usernames (sAMAccountNames) so you can review the devices that the particular user uses.

    Enfo Zipper Christoffer Andersson – Principal Advisor

    Thursday, August 30, 2012 7:23 AM
  • RSA server is only being used for WIFI auth its not being used for anything else.

    I know when Apple device connect to Wifi using this user id but it can get access its being blocked by our system. 

    Is they any trace software I can run on RSA server to see which user is make request and from which IP address.

    • Edited by LalaJee Thursday, August 30, 2012 7:29 AM more details
    Thursday, August 30, 2012 7:27 AM
  • Do you mean RSA? Or RAS/RRAS as in Routing and Remote Access in Windows Server? if it's an RSA product again I suggest to look for a logging option in that product.

    Enfo Zipper Christoffer Andersson – Principal Advisor

    Thursday, August 30, 2012 7:32 AM
  • This server was used to be for RSA (VPN) but now its not being used for that its being used for Wifi auth
    Thursday, August 30, 2012 7:39 AM
  • This server was used to be for RSA (VPN) but now its not being used for that its being used for Wifi auth

    Netwrix has got a tool Account lockout examiner, you want to give a try.

    http://www.netwrix.com/account_lockout_examiner.html



    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, August 30, 2012 9:36 AM
    Moderator
  • I have already tried Netwrix tool which was not a help at all. 

    I have followed http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx but still I got to know where. I can't run a trace on user PC because I dont know which PC is locking the account.

    Thursday, August 30, 2012 9:54 AM
  • I have already tried Netwrix tool which was not a help at all. 

    I have followed http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx but still I got to know where. I can't run a trace on user PC because I dont know which PC is locking the account.

    Can you use tool like Netmon/Wireshark to monitor the traffic, it might provide you headway towards identification of the problem.



    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by LalaJee Tuesday, September 04, 2012 7:17 AM
    Thursday, August 30, 2012 9:57 AM
    Moderator
  • I have run Microsoft Network monitor on a server which netlogon was tell be is locking the account. It is display a mac address which belogs to apple device and we can't find that device on our system.

    I have search in all the possible place where this device mac might be but nothing.

    Do you know any software I can run on server which can let me know this user is try to connect to this server and tells me the Ip address and currect user who using this device.

    Thursday, August 30, 2012 2:27 PM
  • I have run Microsoft Network monitor on a server which netlogon was tell be is locking the account. It is display a mac address which belogs to apple device and we can't find that device on our system.

    I have search in all the possible place where this device mac might be but nothing.

    Do you know any software I can run on server which can let me know this user is try to connect to this server and tells me the Ip address and currect user who using this device.

    You have already got the source now & you need to work with security/network team to trace from where this MAC address info is being registered into the Netlogon.log file. It can be mobile/handheld devices which is used containing saved password. There is no such tool, but you already found the source, now just have to find the actual device.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Thursday, August 30, 2012 2:32 PM
    Moderator
  • I have pass the information to network guys who told me that this mac address doesn't exist anywhere in our company.

    I have that this will be apple device which is causing this. Is they anyway I can get the IP address or serial number for this device.

    This is real painful now I have tried everything I can think of.

    Thursday, August 30, 2012 2:36 PM
  • I have pass the information to network guys who told me that this mac address doesn't exist anywhere in our company.

    I have that this will be apple device which is causing this. Is they anyway I can get the IP address or serial number for this device.

    This is real painful now I have tried everything I can think of.

    If those devices are connected to public network, then you can't. If they received IP from your LAN like DHCP, then you have the MAC/IP address being registrerd into the DHCP/DNS, but the device ID is something AD doesn't keep track of.

    If you feel running out of an option, then time to call Microsoft PSS (Paid support) to resolve the issue.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, August 30, 2012 2:40 PM
    Moderator
  • I have been talking to them last few weeks and keep going in loops check security logs again and again. this account is being lockout for few months.

    I have check DHCP?DNS to check this mac adddress with IP address but I couldn't find anything.

    I througt some might have same problem in past and know how I can fix this.

    If you know anything else I can try please do let me know.

    Thursday, August 30, 2012 2:43 PM
  • LALAJEE,

    Through Lockout status you will find the dc where the account is getting locked.... go to that DC and open eventviewer open 4740 event.. and below you will find the ip add or machine name which is causing the account lockout.. and if it doesnt show the IP details...means your account is configured in some non-windows application...try to reomve the account from the application...

    Hope this helps


    Ahmed Gaziyani Enterprise Admin.

    Thursday, August 30, 2012 3:10 PM
  • Ahmed,

    I have check the event log on that DC for 4740 (windows 2008) it had no ip address or machine name. 

    I dont know which device might be using this user id. If I can figure out which device is using this user id then I can reset or delete this user info.

    Thursday, August 30, 2012 3:13 PM
  • 1. Netlogon logging is not enough. Pleaes also enable Keberos logging.
    2. Event 4740 is just the Lockout event, it's also not enough for tracing Lockout source. Suppose the last authentication attempt was from PC A, while the previous bad attempts were from PC B, then it will be useless troubleshooting on PC A.

    So, according to your pwd policy, (for example 10 bad password lockout), check the previous authentication one by one, if they were from a same source, you could determine the source (suppose it's RSA), you could go on working on that one and check its security logs.

    Filtering the events using (529, 644, 675, 676, and 681), adding 4096 for 2008+

    3.The account name is User? what's the account used for? a service account? As it will be inconvenient to troubleshooting account lockout issue via forum, you could choose to open up a ticket to CTS AD team, it will be more efficient.

    Thanks, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marked as answer by LalaJee Tuesday, September 04, 2012 7:16 AM
    Friday, August 31, 2012 4:11 PM
  • The account name is User? this what i have change to hide user from public fourm.

    what's the account used for? Its a standard AD account.

    a service account? No


    1. Netlogon logging is not enough. Pleaes also enable Keberos logging.
    2. Event 4740 is just the Lockout event, it's also not enough for tracing Lockout source. Suppose the last authentication attempt was from PC A, while the previous bad attempts were from PC B, then it will be useless troubleshooting on PC A.

    So, according to your pwd policy, (for example 10 bad password lockout), check the previous authentication one by one, if they were from a same source, you could determine the source (suppose it's RSA), you could go on working on that one and check its security logs.

    Filtering the events using (529, 644, 675, 676, and 681), adding 4096 for 2008+

    3.The account name is User? what's the account used for? a service account? As it will be inconvenient to troubleshooting account lockout issue via forum, you could choose to open up a ticket to CTS AD team, it will be more efficient.

    Thanks, Brian


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.


    Monday, September 03, 2012 6:50 AM
  • Hi,

    You can use AloInfo tool from ALTOOLS to analyse on RSA server as to which is the application which is sending incorrect Password. Please go through the below for more details.

    http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/A_532-Finding-root-cause-of-Account-lockouts.html

    Monday, September 03, 2012 7:23 AM
  • As you already found the source, (know the account name and know that's an Apple device), why don't you ask the user to check the device directly? In most cases, it's a saved credential.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Tuesday, September 04, 2012 2:17 AM
  • Since you have narrow down the issue that apple device is causing the issue.It could be that device is configured with AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically(90% of the time guilty).


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, September 04, 2012 5:55 AM
  • After activating netlogon logs on servers I found which server was the one which was locking the account. On that server I have activated Keberos logging as per Brian recommendation and running packet capture on server. It gave me Mac Address of the device which was locking this account. Then I found out which device is it which was Apple Inc. After I sent email to all of the user asking them for mac address of the Iphone and Ipad. One of the user came back saying this mac address belongs to my device. I check the device but still couldn't find any details of user on. I just reset full device.

    Now its been a day and user account has not been locked out yet. I'm hoping this has fix the problem for me now.

    Tuesday, September 04, 2012 6:52 AM
  • Thank you all for your help. Thank you so much for reply back to my post.
    Tuesday, September 04, 2012 6:52 AM