locked
someone is locking user accounts RRS feed

  • Question

  • hi,

    is any way to determine who is locking user accoounts? any application through LDAP, o other way. Is any way to find IP? We have two 2008 and 2003 dc.

    thanks,
    n

    Friday, May 11, 2012 7:08 PM

Answers

  • User account are generally locked due to scdule task/Services/Mapped network drive on a computer

    You can use Microsoft Lockout status tool for getting the information when the User account got locked (Date and time).

    Apart from this you will also get information like on which DC the account got locked , How many bad passwords, AD site, Etc.

    This is very helpful tool. Using this we can check what is the computer account from which computer account is getting locked.

    You can download the tool from below link.

    http://www.microsoft.com/download/en/details.aspx?id=15201

    Troubleshooting Active directory Lockout Issue.

    http://msexchangeguru.com/2012/03/08/ad-lockout/

    I use the same tool and I will follow below Procedure

    1. Check the DC where the account lockout event ID are getting generated using Lockout status tool

    2. Logon to the DC--->Security Event Viewer----->Search 644 Event ID on windows server 2003 and on windows server 2008 ID is 4740------>Double click on the event ID and check the system name from which events are getting logged

    3. Login to the computer and make sure none of the services/schduled task/Mapped network drives are causing the account lockouts

    Below is the thread which you can refer to which discuss the same dilemma

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/cd00f4c1-b8c0-4e11-be47-aaa994d784ee

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 11, 2012 7:30 PM
  • If you are auditing account logon events you can check your event logs for event 4740   http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740

    Good blog about how the PSS team troubleshoots account lockout   http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    If you are getting a lot of random lockouts look for malware (conficker for example)

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Friday, May 11, 2012 7:31 PM
  • If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
    On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

    If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
    http://support.microsoft.com/kb/962007

    Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

    Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, May 12, 2012 2:01 AM
  • If single account is getting locked it could be due to below reasons.
    •user's account in stored user name and passwords
    •user's account tied to persistent mapped drive
    •user's account as a service account
    •user's account used as an IIS application pool identity
    •user's account tied to a scheduled task
    •un-suspending a virtual machine after a user's pw as changed
    •A SMARTPHONE!!!

    If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.

    Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

    Refer below link for more step on trroubleshooting account lockout.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8/
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1c7e66a4-6a81-4118-89df-2e290852c3cc/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, May 12, 2012 2:02 AM
  • You can use 3rd party tool from Netwrix tool, the source of the account lockout can be traced easily. You can also use Wireshark/Netmon to capture the traffic to find the account locking source.

    I agree with Mike, there can be conficker worm presence in your network and you might want to give a try.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, May 14, 2012 6:16 AM
  • Hi

    Use the below link to find the affending machine

    http://www.windowstricks.in/2009/07/account-lockout.html

    Regards,

    Ganesh

    www.windowstricks.in


    Regards www.windowstricks.in

    Monday, May 14, 2012 8:02 AM
  • Hi natip,

    Thanks for posting here.

    I’d also like to share some useful materials with you if that will help to narrow down this issue.

    Active Directory - Troubleshooting Account Lockout information

    http://blogs.technet.com/b/bulentozkir/archive/2009/12/28/active-directory-de-kullan-c-hesaplar-kilitlendi-inde-lockout-bunun-sebebini-bulmak-i-in.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, May 15, 2012 6:53 AM

All replies

  • User account are generally locked due to scdule task/Services/Mapped network drive on a computer

    You can use Microsoft Lockout status tool for getting the information when the User account got locked (Date and time).

    Apart from this you will also get information like on which DC the account got locked , How many bad passwords, AD site, Etc.

    This is very helpful tool. Using this we can check what is the computer account from which computer account is getting locked.

    You can download the tool from below link.

    http://www.microsoft.com/download/en/details.aspx?id=15201

    Troubleshooting Active directory Lockout Issue.

    http://msexchangeguru.com/2012/03/08/ad-lockout/

    I use the same tool and I will follow below Procedure

    1. Check the DC where the account lockout event ID are getting generated using Lockout status tool

    2. Logon to the DC--->Security Event Viewer----->Search 644 Event ID on windows server 2003 and on windows server 2008 ID is 4740------>Double click on the event ID and check the system name from which events are getting logged

    3. Login to the computer and make sure none of the services/schduled task/Mapped network drives are causing the account lockouts

    Below is the thread which you can refer to which discuss the same dilemma

    http://social.technet.microsoft.com/Forums/en/winserverDS/thread/cd00f4c1-b8c0-4e11-be47-aaa994d784ee

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 11, 2012 7:30 PM
  • If you are auditing account logon events you can check your event logs for event 4740   http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740

    Good blog about how the PSS team troubleshoots account lockout   http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    If you are getting a lot of random lockouts look for malware (conficker for example)

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Friday, May 11, 2012 7:31 PM
  • I will try, thank you
    Friday, May 11, 2012 9:48 PM
  • If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
    On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

    If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
    http://support.microsoft.com/kb/962007

    Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

    Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, May 12, 2012 2:01 AM
  • If single account is getting locked it could be due to below reasons.
    •user's account in stored user name and passwords
    •user's account tied to persistent mapped drive
    •user's account as a service account
    •user's account used as an IIS application pool identity
    •user's account tied to a scheduled task
    •un-suspending a virtual machine after a user's pw as changed
    •A SMARTPHONE!!!

    If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.

    Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

    Refer below link for more step on trroubleshooting account lockout.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8/
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1c7e66a4-6a81-4118-89df-2e290852c3cc/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, May 12, 2012 2:02 AM
  • You can use 3rd party tool from Netwrix tool, the source of the account lockout can be traced easily. You can also use Wireshark/Netmon to capture the traffic to find the account locking source.

    I agree with Mike, there can be conficker worm presence in your network and you might want to give a try.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, May 14, 2012 6:16 AM
  • Hi

    Use the below link to find the affending machine

    http://www.windowstricks.in/2009/07/account-lockout.html

    Regards,

    Ganesh

    www.windowstricks.in


    Regards www.windowstricks.in

    Monday, May 14, 2012 8:02 AM
  • Hi natip,

    Thanks for posting here.

    I’d also like to share some useful materials with you if that will help to narrow down this issue.

    Active Directory - Troubleshooting Account Lockout information

    http://blogs.technet.com/b/bulentozkir/archive/2009/12/28/active-directory-de-kullan-c-hesaplar-kilitlendi-inde-lockout-bunun-sebebini-bulmak-i-in.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, May 15, 2012 6:53 AM