account lockout on windows 2008 r2 and windows 7

All replies

• 

  

  0

  Sign in to vote

  Take a look at below article, if its applicable. Also, you can't configure to log MAC ID & there is no such functions available to achieve it.

  The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2

  http://support.microsoft.com/kb/2157973

  ---

  Awinish Vishwakarma - MVP - Directory Services

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  Wednesday, July 4, 2012 1:33 PM
• 

  

  0

  Sign in to vote

  I know the account is being locked by a smart device, which windows can't resolved it to its name.

  Is they any way I can get the Mac Address of device which this locked is being done. for e.g. if phone number is locking this account I like to get the mac address for this phone.

  Wednesday, July 4, 2012 2:13 PM
• 

  

  0

  Sign in to vote

  Hi,

  As far as I know, we now can’t customize security event log to record MAC address of client.

  However, the security event log should record source network address (IP address).

  To troubleshoot account lockout issue, you may refer to these MS articles:

  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
  Account Lockout Tools
  http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

  ---

  Lawrence

  TechNet Community Support

  

  Thursday, July 5, 2012 6:19 AM
• 

  

  0

  Sign in to vote

  As you can see from top log they is no Ip address which being recorded. I have used the ALTools to track down this account lockout but the caller machine name is blank.

  I search for 4740 event id.

  We are using Windows server 2008 r2 as our DC.

  Are they any other event id i can run search on.

  • Edited by lalaJee Thursday, July 5, 2012 8:43 AM more details

  Thursday, July 5, 2012 6:53 AM
• 

  

  0

  Sign in to vote

  Can I use packet capture to resolve a account lockout. 

  If I use a netsh on windows 2008 r2 server to capture and then use Microsoft net monitor to this logs to find out where to account has been lock out e.g. mac address.

  Thank ou

  Thursday, July 5, 2012 9:11 AM
• 

  

  0

  Sign in to vote

  4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Jul 05 10:32:31 2012,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  server$   Account Domain:  domian   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-284166382-85745802-1543857936-1098   Account Name:  user-id    Additional Information:   Caller Computer Name:   

  c:\account lockout\server-Security_LOG.txt contains 1 parsed events.

  Thursday, July 5, 2012 9:41 AM
• 

  

  0

  Sign in to vote

  Hello,

  did you use SIDtoName to convert the Security ID:  S-1-5-21-284166382-85745802-1543857936-1098? http://www.joeware.net/freetools/tools/sidtoname/index.htm

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  Thursday, July 5, 2012 1:37 PM
• 

  

  0

  Sign in to vote

  Hello,

  did you use SIDtoName to convert the Security ID:  S-1-5-21-284166382-85745802-1543857936-1098? http://www.joeware.net/freetools/tools/sidtoname/index.htm

  ---

  Best regards

  Meinolf Weber
  MVP, MCP, MCTS
  Microsoft MVP - Directory Services
  My Blog: http://msmvps.com/blogs/mweber/

  Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

  SIDtoName gives me user id which i know what i'm looking for is the Machine which this pc is being locked out.

  What I have tried.

  Use ALTools to check where the user id is being locked out and then run eventcombMT.exe with event id 4740 as its windows 2008 r2

  check for saved password on user PC ( where user logged onto).

  check logs but nothing.

  netlog logs are already available

  Ask user regrading smartphone and Ipad which he has logged on in past. Becasue this used set these device his account might have been used on 100's of smart device its hard to say which device he used on unless i can get ip address or mac address.

  I can't think of anything else I can try.

  please help.

  
  

  • Edited by lalaJee Thursday, July 5, 2012 2:26 PM more infe

  Thursday, July 5, 2012 2:15 PM
• 

  

  1

  Sign in to vote

  4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Jul 05 10:32:31 2012,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  server$   Account Domain:  domian   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-284166382-85745802-1543857936-1098   Account Name:  user-id    Additional Information:   Caller Computer Name:   

  c:\account lockout\server-Security_LOG.txt contains 1 parsed events.

  Hi,

  Where did you get above message? Form EventcmbMT.exe result file or copied form event viewer directly?

  If you copied that message from a tool, you may not get whole information that recorded in event log.

  According to the log time, trace the log in event viewer, you can find detailed log information in dropdown list of General tab. That should include a row “Source Network Address”.

  Also, you may trace error with event code 4625, it record event “An account failed to log on”.

  For more information please refer to following MS articles:

  Description of security events in Windows Vista and in Windows Server 2008
  http://support.microsoft.com/kb/947226
  Account lockout
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8
  Windows 2008 R2 / User account locked out numerous times a day
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ab1b8429-2cd1-4a1f-b276-950e5f41f23e

  

  ---

  Lawrence

  TechNet Community Support

  

  
  

  • Edited by Lawrence,Lu Monday, July 9, 2012 9:12 AM spelling mistakes
  • Marked as answer by Lawrence,Lu Monday, July 16, 2012 8:51 AM

  Friday, July 6, 2012 8:52 AM
• 

  

  0

  Sign in to vote

  I got information from eventcombMT.exe

  I have check following event id 

  4768 4771 4725 4740 4722 4767 4634 4624 4625 4800

  
  

  • Edited by lalaJee Friday, July 6, 2012 8:55 AM add more infor

  Friday, July 6, 2012 8:55 AM
• 

  

  0

  Sign in to vote

  Hi,

  EventcombMT.exe does not display all Windows Server 2008 R2 log information in my test.

  So after you get event log through EventcombMT.exe, trace the log time and find corresponding event log in Windows Server 2008 R2 event viewer, you can find detailed information about the log event.

  ---

  Lawrence

  TechNet Community Support

  

  Monday, July 9, 2012 9:16 AM
• 

  

  1

  Sign in to vote

  Dear LalaJee,

  Did you tried to read the NETLOGON Logs by using NL Parse..

  If you run the NL Parse by using Account Lockout checkbox on the Nelogon logs of PDC, This will genrate the CSV file & you can get the information like, Machine/Device name along with DC via which it is been locked.(The NLParse.exe Tool)

  Steps:

  Go to C:\windows\Debug\Netlogon.log & make a copy of it on the other drive & run the NLParse > open the copied logs > Check the the last option of "Account lockout logs" > then Press Extract

  it will genrate the .CSV file where you copied the netlogon logs open it & you will get the row with the details of "Machine/Device name" + Via which dc it is been locked out.

  "Remember run NLParse on PDC logs but on backed up logs"

  http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

  Regards,

  ---

  Vicky Rajdev

  Monday, July 9, 2012 11:42 AM
• 

  

  0

  Sign in to vote

  Dear VicK_Rajdev,
  
  Please confirm this for me.
  
  I need to logon to DC which this account was lock e.g DC1
  
  Then I need to go C:\windows\Debug\Netlogon.log copy this log on to my PC and run NLParse and check option for lock account.
  
  run it which will then create a csv file.
  
  How long do I have before this log get over write?
  
  I just like to confirm this with you before I do this.

  
  

  Monday, July 9, 2012 12:36 PM
• 

  

  1

  Sign in to vote

  Dear LalaJee,

  You need to logon to the PDC(Primary Domain Controller-FSMO Holder) with the Domain Admin Credentials, PDC handls the Account lockout transections.

  Then copy the Netlogon logs from Debug folder to other server or other location on PDC.

  Then Run the NLParse > you will get option of open the logs > Then browse to the copied location of logs > then check the check box of "Account lockout" > then press Extract button.

  It will genrate the CSV file where you copied the Netlogon logs  & you will get the details which you require(Device/Machine name & via which dc it is been locked).

  It will give details of all the account lockouts & machines from where it is been captured & via which dc it is been recorded.

  This genrally dosent take more than a minute, But depends on the size of Netlogon Logs.

  The maximum size of Netlogon.log file is 20 Mb(By default), but you can increase via registry key.

  This link will give you details of all ALTOOLS to use along with "NLParse.exe".

  Regards,

  ---

  Vicky Rajdev

  Tuesday, July 10, 2012 8:22 AM
• 

  

  0

  Sign in to vote

  On PDC I can see netlogon logs under windows debug which was created in 2009 and last updated in JUNE 2012.

  I try get the information but they is nothing I can found regrading the account lock out.

  On our DC information is they for less then 30 minutes as it overwriting information.

  Account is stop locking out now I haven't done anything to stop this but it just stop.

  I really like to debug this in future.

  Please let me know if anything else I can try to debug this problem. If its windows device I can get the device name which is locking out this account out but if its non windows device I can't find much information regrading why it would be locking out.

  Tuesday, July 10, 2012 9:00 AM
• 

  

  1

  Sign in to vote

  Hi,

  Did you executed that NLPase tool ? What you got in the .CSV file ? CSV file gets genrated to place where you copied the logs.

  Because i also got the information from the same tool at many situations.

  If you realy want to drill the issue till the Root cause, Use the ALTOOLS Those are the waepons to debug issues of Account lockout due to different different reasons.

  Your issue may be resolved now, But it can come again, Below scenario will help you to understand one of the reason how Account Lockout again happens.

  If any user logged-in to particular PC & after the work finished he/she just locked his window(Not  logged off), After some days User changes his password & tries to login with new passwod it will work.

  But after sometime Account may get locked, Because user is still logged in to the machine where he logged in with old credentials, That computer will intiate the account lockout.

  So this also happen to your envio. in future, So try using the diff. diif. ALTOOLS to resolve it from Root.

  Links to drill:

  http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

  http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

  Account Lockout Status:

  http://www.microsoft.com/en-us/download/details.aspx?id=15201

  Hope above shows you the risk.

  Regards, 

  ---

  Vicky Rajdev

  • Proposed as answer by VicK_Rajdev Tuesday, July 10, 2012 10:33 AM
  • Marked as answer by Lawrence,Lu Monday, July 16, 2012 8:51 AM

  Tuesday, July 10, 2012 9:22 AM
• 

  

  0

  Sign in to vote

  NLPase tool on my PDC log which came back with nothing because I only select account lock out.
  
  When I run LockoutStatus.exe its not showing my PDC which is locking the account its DC2 which is locking account.
  
  I ask user to let me know when the problem comes back again.
  
  Thank you for your help. If you have any other ways to debug this please do let me know.

  
  

  Tuesday, July 10, 2012 9:33 AM