locked
AD Account Locked Question RRS feed

  • Question

  • I have one account which was locked quite often. I have already deleted account setting on iphone and ipad to narrow down the problem. But the account keeps locking all the time. Is there the way to find out which device keeps using this account?
    Tuesday, October 20, 2015 3:17 AM

Answers

  • Hi,
     
    To effectively troubleshoot account lockout, I'd suggest you enable auditing at the domain level for the following events:
     
    Account Logon Events – Failure
    Account Management – Success
    Logon Events – Failure
     
    Also, configure your computers to capture data by enabling Netlogon/Kerberos logging, then carefully analyze the data from the Security event log files and the Netlogon log files, which might help you determine where the lockouts are occurring and why.
     
    These TechNet articles might be helpful for you:
     
    https://technet.microsoft.com/en-us/library/cc776964(v=ws.10).aspx
    https://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, October 20, 2015 6:46 AM
  • Hi,

    On the PDC Emulator role holder DC. Look for this "account lockout event id 4740 in security logs".

    You should get the server\client IP causing the lockout. Once you have that check that machine's logs for more details.

    If the IP belongs to the CAS server, then check the IIS logs for that users connections, to identify which devices are been used to access the account.

    Last resort is to rename the username.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, October 20, 2015 11:40 AM

All replies

  • Hi

     You can check the security logs on event viewer,also you could check with "Account Lockout and Management Tools",

    https://www.microsoft.com/en-us/download/details.aspx?id=18465


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, October 20, 2015 6:08 AM
  • Hi,
     
    To effectively troubleshoot account lockout, I'd suggest you enable auditing at the domain level for the following events:
     
    Account Logon Events – Failure
    Account Management – Success
    Logon Events – Failure
     
    Also, configure your computers to capture data by enabling Netlogon/Kerberos logging, then carefully analyze the data from the Security event log files and the Netlogon log files, which might help you determine where the lockouts are occurring and why.
     
    These TechNet articles might be helpful for you:
     
    https://technet.microsoft.com/en-us/library/cc776964(v=ws.10).aspx
    https://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
     

    Regards,

    Ethan Hua


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Tuesday, October 20, 2015 6:46 AM
  • Here is a quick guide to using MS Account Lockout Tools, additionally you might use free Netwrix Account Lockout Examiner to investigate root cause of lockouts.

    Best Regards,

    Jeff

    Netwrix Technical Evangelist

    Netwrix Blog  Twitter:   LinkedIn:   Facebook:

    Netwrix Auditor  is an IT audit software that maximizes visibility of IT infrastructure changes and data access. The product provides actionable audit data about who changed what, when and where and who has access to what.

    Tuesday, October 20, 2015 11:02 AM
  • Hi,

    On the PDC Emulator role holder DC. Look for this "account lockout event id 4740 in security logs".

    You should get the server\client IP causing the lockout. Once you have that check that machine's logs for more details.

    If the IP belongs to the CAS server, then check the IIS logs for that users connections, to identify which devices are been used to access the account.

    Last resort is to rename the username.


    Regards,

    Satyajit

    Please “Vote As Helpful” if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

    Tuesday, October 20, 2015 11:40 AM