locked
account lockout on windows 2008 r2 and windows 7 RRS feed

  • Question

  • hi,

    When I check the security logs Caller Computer Name:   is empty i know why it is empty its because user used his id on smart device.

    Is they anyway I can check which device user used to check email or something which now has saved user details.

    Is they anyway I can tell windows to record Mac address of device which this user id is being locked by.

    4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Wed Jul 04 12:16:21 2012,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  server$   Account Domain:  server  
     Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-284166382-85745802-1543857936-1098   Account Name:  userid    Additional Information:   Caller Computer Name:   
    
    c:\account lockout\server-Security_LOG.txt contains 1 parsed events.


    • Edited by lalaJee Wednesday, July 4, 2012 1:23 PM more details
    Wednesday, July 4, 2012 1:18 PM

Answers

  • 4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Jul 05 10:32:31 2012,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  server$   Account Domain:  domian   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-284166382-85745802-1543857936-1098   Account Name:  user-id    Additional Information:   Caller Computer Name:   

    c:\account lockout\server-Security_LOG.txt contains 1 parsed events.

    Hi,

    Where did you get above message? Form EventcmbMT.exe result file or copied form event viewer directly?

    If you copied that message from a tool, you may not get whole information that recorded in event log.

    According to the log time, trace the log in event viewer, you can find detailed log information in dropdown list of General tab. That should include a row “Source Network Address”.

    Also, you may trace error with event code 4625, it record event “An account failed to log on”.

    For more information please refer to following MS articles:

    Description of security events in Windows Vista and in Windows Server 2008
    http://support.microsoft.com/kb/947226
    Account lockout
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8
    Windows 2008 R2 / User account locked out numerous times a day
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ab1b8429-2cd1-4a1f-b276-950e5f41f23e


    Lawrence

    TechNet Community Support


    • Edited by Lawrence, Monday, July 9, 2012 9:12 AM spelling mistakes
    • Marked as answer by Lawrence, Monday, July 16, 2012 8:51 AM
    Friday, July 6, 2012 8:52 AM
  • Hi,

    Did you executed that NLPase tool ? What you got in the .CSV file ? CSV file gets genrated to place where you copied the logs.

    Because i also got the information from the same tool at many situations.

    If you realy want to drill the issue till the Root cause, Use the ALTOOLS Those are the waepons to debug issues of Account lockout due to different different reasons.

    Your issue may be resolved now, But it can come again, Below scenario will help you to understand one of the reason how Account Lockout again happens.

    If any user logged-in to particular PC & after the work finished he/she just locked his window(Not  logged off), After some days User changes his password & tries to login with new passwod it will work.

    But after sometime Account may get locked, Because user is still logged in to the machine where he logged in with old credentials, That computer will intiate the account lockout.

    So this also happen to your envio. in future, So try using the diff. diif. ALTOOLS to resolve it from Root.

    Links to drill:

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

    Account Lockout Status:

    http://www.microsoft.com/en-us/download/details.aspx?id=15201

    Hope above shows you the risk.

    Regards, 


    Vicky Rajdev

    • Proposed as answer by VicK_Rajdev Tuesday, July 10, 2012 10:33 AM
    • Marked as answer by Lawrence, Monday, July 16, 2012 8:51 AM
    Tuesday, July 10, 2012 9:22 AM

All replies

  • Take a look at below article, if its applicable. Also, you can't configure to log MAC ID & there is no such functions available to achieve it.

    The Security event that has Event ID 4625 does not contain the user account name on a computer that is running Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2

    http://support.microsoft.com/kb/2157973


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, July 4, 2012 1:33 PM
  • I know the account is being locked by a smart device, which windows can't resolved it to its name.

    Is they any way I can get the Mac Address of device which this locked is being done. for e.g. if phone number is locking this account I like to get the mac address for this phone.

    Wednesday, July 4, 2012 2:13 PM
  • Hi,

    As far as I know, we now can’t customize security event log to record MAC address of client.

    However, the security event log should record source network address (IP address).

    To troubleshoot account lockout issue, you may refer to these MS articles:

    Troubleshooting Account Lockout
    http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
    Account Lockout Tools
    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx


    Lawrence

    TechNet Community Support

    Thursday, July 5, 2012 6:19 AM
  • As you can see from top log they is no Ip address which being recorded. I have used the ALTools to track down this account lockout but the caller machine name is blank.

    I search for 4740 event id.

    We are using Windows server 2008 r2 as our DC.

    Are they any other event id i can run search on.

    • Edited by lalaJee Thursday, July 5, 2012 8:43 AM more details
    Thursday, July 5, 2012 6:53 AM
  • Can I use packet capture to resolve a account lockout. 

    If I use a netsh on windows 2008 r2 server to capture and then use Microsoft net monitor to this logs to find out where to account has been lock out e.g. mac address.

    Thank ou

    Thursday, July 5, 2012 9:11 AM
  • 4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Jul 05 10:32:31 2012,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  server$   Account Domain:  domian   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-284166382-85745802-1543857936-1098   Account Name:  user-id    Additional Information:   Caller Computer Name:   

    c:\account lockout\server-Security_LOG.txt contains 1 parsed events.

    Thursday, July 5, 2012 9:41 AM
  • Hello,

    did you use SIDtoName to convert the Security ID:  S-1-5-21-284166382-85745802-1543857936-1098? http://www.joeware.net/freetools/tools/sidtoname/index.htm


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, July 5, 2012 1:37 PM
  • Hello,

    did you use SIDtoName to convert the Security ID:  S-1-5-21-284166382-85745802-1543857936-1098? http://www.joeware.net/freetools/tools/sidtoname/index.htm


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    SIDtoName gives me user id which i know what i'm looking for is the Machine which this pc is being locked out.

    What I have tried.

    Use ALTools to check where the user id is being locked out and then run eventcombMT.exe with event id 4740 as its windows 2008 r2

    check for saved password on user PC ( where user logged onto).

    check logs but nothing.

    netlog logs are already available

    Ask user regrading smartphone and Ipad which he has logged on in past. Becasue this used set these device his account might have been used on 100's of smart device its hard to say which device he used on unless i can get ip address or mac address.

    I can't think of anything else I can try.

    please help.


    • Edited by lalaJee Thursday, July 5, 2012 2:26 PM more infe
    Thursday, July 5, 2012 2:15 PM
  • 4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Jul 05 10:32:31 2012,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  server$   Account Domain:  domian   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-284166382-85745802-1543857936-1098   Account Name:  user-id    Additional Information:   Caller Computer Name:   

    c:\account lockout\server-Security_LOG.txt contains 1 parsed events.

    Hi,

    Where did you get above message? Form EventcmbMT.exe result file or copied form event viewer directly?

    If you copied that message from a tool, you may not get whole information that recorded in event log.

    According to the log time, trace the log in event viewer, you can find detailed log information in dropdown list of General tab. That should include a row “Source Network Address”.

    Also, you may trace error with event code 4625, it record event “An account failed to log on”.

    For more information please refer to following MS articles:

    Description of security events in Windows Vista and in Windows Server 2008
    http://support.microsoft.com/kb/947226
    Account lockout
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8
    Windows 2008 R2 / User account locked out numerous times a day
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/ab1b8429-2cd1-4a1f-b276-950e5f41f23e


    Lawrence

    TechNet Community Support


    • Edited by Lawrence, Monday, July 9, 2012 9:12 AM spelling mistakes
    • Marked as answer by Lawrence, Monday, July 16, 2012 8:51 AM
    Friday, July 6, 2012 8:52 AM
  • I got information from eventcombMT.exe

    I have check following event id 

    4768 4771 4725 4740 4722 4767 4634 4624 4625 4800


    • Edited by lalaJee Friday, July 6, 2012 8:55 AM add more infor
    Friday, July 6, 2012 8:55 AM
  • Hi,

    EventcombMT.exe does not display all Windows Server 2008 R2 log information in my test.

    So after you get event log through EventcombMT.exe, trace the log time and find corresponding event log in Windows Server 2008 R2 event viewer, you can find detailed information about the log event.


    Lawrence

    TechNet Community Support

    Monday, July 9, 2012 9:16 AM
  • Dear LalaJee,

    Did you tried to read the NETLOGON Logs by using NL Parse..

    If you run the NL Parse by using Account Lockout checkbox on the Nelogon logs of PDC, This will genrate the CSV file & you can get the information like, Machine/Device name along with DC via which it is been locked.(The NLParse.exe Tool)

    Steps:

    Go to C:\windows\Debug\Netlogon.log & make a copy of it on the other drive & run the NLParse > open the copied logs > Check the the last option of "Account lockout logs" > then Press Extract

    it will genrate the .CSV file where you copied the netlogon logs open it & you will get the row with the details of "Machine/Device name" + Via which dc it is been locked out.

    "Remember run NLParse on PDC logs but on backed up logs"

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    Regards,


    Vicky Rajdev

    Monday, July 9, 2012 11:42 AM
  • Dear VicK_Rajdev,

    Please confirm this for me.

    I need to logon to DC which this account was lock e.g DC1

    Then I need to go C:\windows\Debug\Netlogon.log copy this log on to my PC and run NLParse and check option for lock account.

    run it which will then create a csv file.

    How long do I have before this log get over write?

    I just like to confirm this with you before I do this.


    Monday, July 9, 2012 12:36 PM
  • Dear LalaJee,

    You need to logon to the PDC(Primary Domain Controller-FSMO Holder) with the Domain Admin Credentials, PDC handls the Account lockout transections.

    Then copy the Netlogon logs from Debug folder to other server or other location on PDC.

    Then Run the NLParse > you will get option of open the logs > Then browse to the copied location of logs > then check the check box of "Account lockout" > then press Extract button.

    It will genrate the CSV file where you copied the Netlogon logs  & you will get the details which you require(Device/Machine name & via which dc it is been locked).

    It will give details of all the account lockouts & machines from where it is been captured & via which dc it is been recorded.

    This genrally dosent take more than a minute, But depends on the size of Netlogon Logs.

    The maximum size of Netlogon.log file is 20 Mb(By default), but you can increase via registry key.

    This link will give you details of all ALTOOLS to use along with "NLParse.exe".

    Regards,


    Vicky Rajdev

    Tuesday, July 10, 2012 8:22 AM
  • On PDC I can see netlogon logs under windows debug which was created in 2009 and last updated in JUNE 2012.

    I try get the information but they is nothing I can found regrading the account lock out.

    On our DC information is they for less then 30 minutes as it overwriting information.

    Account is stop locking out now I haven't done anything to stop this but it just stop.

    I really like to debug this in future.

    Please let me know if anything else I can try to debug this problem. If its windows device I can get the device name which is locking out this account out but if its non windows device I can't find much information regrading why it would be locking out.

    Tuesday, July 10, 2012 9:00 AM
  • Hi,

    Did you executed that NLPase tool ? What you got in the .CSV file ? CSV file gets genrated to place where you copied the logs.

    Because i also got the information from the same tool at many situations.

    If you realy want to drill the issue till the Root cause, Use the ALTOOLS Those are the waepons to debug issues of Account lockout due to different different reasons.

    Your issue may be resolved now, But it can come again, Below scenario will help you to understand one of the reason how Account Lockout again happens.

    If any user logged-in to particular PC & after the work finished he/she just locked his window(Not  logged off), After some days User changes his password & tries to login with new passwod it will work.

    But after sometime Account may get locked, Because user is still logged in to the machine where he logged in with old credentials, That computer will intiate the account lockout.

    So this also happen to your envio. in future, So try using the diff. diif. ALTOOLS to resolve it from Root.

    Links to drill:

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

    Account Lockout Status:

    http://www.microsoft.com/en-us/download/details.aspx?id=15201

    Hope above shows you the risk.

    Regards, 


    Vicky Rajdev

    • Proposed as answer by VicK_Rajdev Tuesday, July 10, 2012 10:33 AM
    • Marked as answer by Lawrence, Monday, July 16, 2012 8:51 AM
    Tuesday, July 10, 2012 9:22 AM
  • NLPase tool on my PDC log which came back with nothing because I only select account lock out.

    When I run LockoutStatus.exe its not showing my PDC which is locking the account its DC2 which is locking account.

    I ask user to let me know when the problem comes back again.

    Thank you for your help. If you have any other ways to debug this please do let me know.


    Tuesday, July 10, 2012 9:33 AM