Particular AD user account getting locked out

All replies

• 

  

  0

  Sign in to vote

  Hi

   You can configure advances security audit policy for logs;

  https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx

  Also You can troubleshoot this in Windows Server 2008&2012,called dsac.exe which is the "Active Directory Administration Centre"..check the article for,

  https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/

  and with 3.rd party tools,manage engine,lepide,netwriks....

  ---

  This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

  Wednesday, June 8, 2016 1:58 PM
• 

  

  0

  Sign in to vote

  Hi johnny,

  The most likely reason for this is an application outside of the windows Operating System that is trying to perform some authentication process with the user account’s AD credentials.

  http://www.georgealmeida.com/2014/01/account-lockout-caller-computer-name-blank/

  Tthe empty "Caller Computer Name" can occure due to multiple reasons : Please refer this thread.

  https://social.technet.microsoft.com/Forums/windowsserver/en-US/6cd9fbd4-a2f0-4f70-a60a-6bc458267f09/fishy-account-lockout-with-eventid-4740-without-caller-computer-name?forum=winserversecurity

  ---

  Devaraj G | Technical solution architect

  Wednesday, June 8, 2016 2:06 PM
• 

  

  0

  Sign in to vote

  Please check this article too if it helps you to identify the source of account lockout in AD - https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

  In a side note, you can also try using Lepide active directory auditing tool which should be an ideal solution which should be an ideal solution to work around your situation.

  ---

  Organizations who want increase their visibility as to what's happening in their IT environments but are perhaps limited on time, resources or budget. Lepide 2020 audit & change control suite provides instant access to see who, what, where and when changes are being made to Active Directory, Group Policy, SQL Servers, SharePoint, File Servers, Exchange Servers and more.

  Thursday, June 9, 2016 4:28 AM
• 

  

  0

  Sign in to vote

  Hi,

  I have already referred all the article which you have provided but still issue remains same.

  Even I have used the 3rd part tools manage engine,lepide,netwriks.... but there also call computer name is blank.

  Please suggest if any other option or tool available from Microsoft.

  Thursday, June 9, 2016 1:43 PM
• 

  

  0

  Sign in to vote

  Hi,

  nothing on his/her smartphone/tablet?

  ---

  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

  Thursday, June 9, 2016 1:57 PM
• 

  

  0

  Sign in to vote

  Some smart device !!

  Do you have failure auditing set up in group policy? 

  Co-relate the lockout with failure audit and see if you can get the source IP.

  Event to look for 4771

  ---

  Devaraj G | Technical solution architect

  Thursday, June 9, 2016 2:37 PM
• 

  

  0

  Sign in to vote

  Mostly due to lockout system not directly connected to AD, may be from UNIX system or handheld mobile device

  http://www.windowstricks.in/2016/06/account-lockout-caller-computer-name-blank-cisco-workstation-domain-controller.html

  ---

  Regards www.windowstricks.in

  Friday, June 10, 2016 7:55 PM
• 

  

  0

  Sign in to vote

  I have enable the Netlogon on PDC server which was pointing to ADC server as below.

  

  Then enabled netlogon on ADC server which was pointing to one of the file server as below.

  

  So enabled the netlogon on file server and fond below error details without caller computer name.

  

  Please let me know what is next step to perform to know the caller computer name from where bad password coming to file server.

  Monday, June 13, 2016 11:38 AM
• 

  

  0

  Sign in to vote

  IT should be something external (activesync or similar)

  ---

  This post is provided AS IS with no warranties or guarantees, and confers no rights.
  ~~~
  Questo post non fornisce garanzie e non conferisce diritti

  Monday, June 13, 2016 11:51 AM
• 

  

  0

  Sign in to vote

  You should get the IP address on the netlogon logs, if not network monitoring is the only way to proceed further

  ---

  Regards www.windowstricks.in

  Monday, June 13, 2016 6:46 PM
• 

  

  0

  Sign in to vote

  IP address or hostname not coming in netlogon logs, as you said network monitoring trace how to identify from where bad credentials are coming to file server

  Tuesday, June 14, 2016 11:50 AM
• 

  

  0

  Sign in to vote

  Hi Johnny,

  How frequent the lockout is happening ?

  if possible, shutdown the user machine, mobile, pad ...etc and observe.

  Also check for any VPN connections with old passwords.

  With network trace, identification chances are very less, but still u can try.

  ---

  Devaraj G | Technical solution architect

  
  

  • Edited by Devaraj G Tuesday, June 14, 2016 1:05 PM
  • Proposed as answer by Jay Gu Friday, July 8, 2016 10:38 AM
  • Marked as answer by Jay Gu Friday, July 8, 2016 10:38 AM

  Tuesday, June 14, 2016 1:03 PM