locked
Account keeps locking out.. RRS feed

  • Question

  • Hi

    We are using AD 2003 on Windows 2003 servers.

    There is an account - domain\account1 - that keeps locking out. I suspect that either someone is trying to continously authenticate using a wrong password or, more likely, there is an application that is set to use this account which has an old password.

    I've run EventComb with the following parameters:

    Security, Failure Audit, All DC's in domain, Event ID 528
    Text: domain\account1

    But I'm getting no results.

    Can anyone tell me what I'm doing wrong?

    Monday, February 8, 2010 10:19 AM

Answers

All replies

  • Hi Sheen ,

    These issue may occur if u have virus that perform kind of dictionary attack  so you need to observer the logging activates

    You can find the below link useful  

    http://blogs.technet.com/isablog/archive/2009/06/12/troubleshooting-authentication-issues-in-isa-server-using-net-logon-logging.aspx

    Monday, February 8, 2010 10:46 AM
    • Proposed as answer by Wilson Jia Tuesday, February 9, 2010 7:12 AM
    • Marked as answer by Wilson Jia Friday, February 12, 2010 7:41 AM
    Monday, February 8, 2010 11:07 AM
  • Howdie!

    Sheen1990 wrote:
    > There is an account - domain\account1 - that keeps locking out. I
    > suspect that either someone is trying to continously authenticate using
    > a wrong password or, more likely, there is an application that is set to
    > use this account which has an old password.

    Enable auditing on the domain controllers (you best do this by enabling
    it via Group Policy and link it to the Domain Controllers OU. Once the
    account is locked again, you should have an event logged in one of the
    DC's security log. EventComb already is your choice of tool, that's a
    good thing.

    Most of the time, it's a service running in the user's context/with the
    old password or a rough Terminal Server session with an application that
    tries authentication over and over again.

    Cheers,
    Florian

    Microsoft MVP - Group Policy (http://www.frickelsoft.net/blog)
    Monday, February 8, 2010 11:39 AM
  • Hi Sheen,

    Thank you for posting here.

    The KB article 315585 may be helpful for you to troubleshoot account lockout issue.

    http://support.microsoft.com/kb/315585

    Regards,
    Wilson Jia
    This posting is provided "AS IS" with no warranties, and confers no rights.
    Tuesday, February 9, 2010 7:15 AM
  • For situations like this we developed an automatic tool called NetWrix Account Lockout Examiner, which analyzes many different things that might cause an account lockout. Give this tool a try (see www.netwrix.com for download). Sorry for the vendor plug...
    Thursday, December 27, 2012 5:30 PM
  • On the domain controller, look through the Security log...  Search for the account that is getting locked out...

    You should be able to find something like this:

    User Account Locked Out:          Target Account Name:        lockedoutuser1          Target Account ID:        domaintest\lockedoutuser1          Caller Machine Name:        Machine1

    This will tell you what machine is locking out the account... this can be helpful in further troubleshooting...


    The next step would be to go to the machine1 server (desktop) and look through the services on the machine.  Many times, people will install a service with a domain user account (as startup type).  This is problematic as when the domain account password changes, it is not automatically updated on the service...

    Anyway, if you still need to troubleshoot this further, you can use a tool called: LockoutStatus.exe  

    http://www.microsoft.com/downloads/details.aspx?FamilyID=d1a5ed1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en

    In addition, it may be required to enable Kerberos loggin on your DC's...

    http://support.microsoft.com/default.aspx?scid=kb;en-us;262177

    In addition, you may be required to run some netcap captures.... to analyze traffic...

    Hope it works for you.

    Friday, December 28, 2012 12:00 PM