Remove From My Forums

Auditing Why the User Account is Getting Locked Out

Question
0

Sign in to vote

Hi,

I recently reconfigured a Default Domain Controller Group Policy for Windows Server 2008 R2. This is my root DC and ADC is Windows Server 2012 R2. The policy I configured is to audit User Account Management where it shows the user whose account got locked out.

The account gets locked out only after 3 failed logon attempts. I unlock their accounts but do not know about their failed login attempts. Users are claiming that they have not entered incorrect password.

I want to have details of their failed logon attempts before the account gets locked out. I want to see which computer, with its hosrname and IP, they used where the first, second and third login attempt failed. Most users access the Outlook Web Access (Exchange Server 2013) and the User Account Management event indicates the calling computer as the CAS of Exchange Server 2013. I want to see here the actual computer name from where the user initiated a login. Few users share their password with their peers.

Please suggest how I can see all failed login attempts be it accessing shared folder on file server, local login to their workstations, login to any AD integrated application in the event viewer (security log) of the Domain Controller.

MPS

Friday, May 13, 2016 7:10 AM

Answers

0

Sign in to vote
> I have configured the audit related settings (as suggested above) in the

> Default Domain Controller Group Policy.

What exactly did you configure? If you are referring to

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/89abf0b3-3689-420f-b041-0ab491447e95#cc6fb887-9a82-4a24-8647-fafb0c24e9d8

- this will not audit logon events :)
- Proposed as answer by Alvwan Monday, May 23, 2016 6:46 AM
- Marked as answer by MPS-2011 Monday, May 23, 2016 6:52 AM
Friday, May 20, 2016 11:59 AM

All replies

0

Sign in to vote
Hi,

You can use LockoutStatus.exe which is part of Account Lockout and Management tools to identify domain controller that are involved in lock-out user account.

https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
- Proposed as answer by Avendil Saturday, May 14, 2016 4:22 PM
Friday, May 13, 2016 7:16 AM
0

Sign in to vote

Hi,

I recently reconfigured a Default Domain Controller Group Policy for Windows Server 2008 R2. This is my root DC and ADC is Windows Server 2012 R2. The policy I configured is to audit User Account Management where it shows the user whose account got locked out.

The account gets locked out only after 3 failed logon attempts. I unlock their accounts but do not know about their failed login attempts. Users are claiming that they have not entered incorrect password.

I want to have details of their failed logon attempts before the account gets locked out. I want to see which computer, with its hosrname and IP, they used where the first, second and third login attempt failed. Most users access the Outlook Web Access (Exchange Server 2013) and the User Account Management event indicates the calling computer as the CAS of Exchange Server 2013. I want to see here the actual computer name from where the user initiated a login. Few users share their password with their peers.

Please suggest how I can see all failed login attempts be it accessing shared folder on file server, local login to their workstations, login to any AD integrated application in the event viewer (security log) of the Domain Controller.

MPS

Hi
These are possibilies about lockout issue,
-Mapped network drives
-Logon scripts that map network drives
-RunAs shortcuts
-Accounts that are used for service account logons
-Processes on the client computers
-Programs that may pass user credentials to a centralized network program or middle-tier application layer
-Active sync devices (cell phone,etc..)

Also "Account lockout tool" could not use on server 2008&2012,so New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for,

https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/

This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

Friday, May 13, 2016 7:31 AM
0

Sign in to vote
Most of the users account will get locked from locally desktops and Mobile devices or idle sessions on Server / workstation, We need to start Account lookout troubleshooting from below order.

1.Client side troubleshooting
2.Mobile device / BYOD
3.Server side checklist

refer for more : http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

User below tools to find out source of the account lockout - On Server

Account Lockout and Management Tool.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

Netwrix is also a good tool to find out account lockout.
https://www.netwrix.com/account_lockout_examiner.html

Troubleshooting Account Lockouts the PSS way
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Use account lockout tools to find out more information,<
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

Refer below article for Best practices and Standards<
http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Track the account lockouts using the checked Netlogon.dll
http://support.microsoft.com/kb/189541

Devaraj G | Technical solution architect
Friday, May 13, 2016 2:16 PM
0

Sign in to vote

You need to enable auditing on your default domain policy to track it. To know the lock out source you can install AL TOOLS on the DC and search with the account. This will tell you how many bad password attempt reached which DC. You need to login to the DC and check in the security event for the locked account, in the event you will get a caller computer name. Log into that machine and check on the security event . you will get the process which was causing the issue.

Saturday, May 14, 2016 3:05 PM
0

Sign in to vote

As suggested by Rihanna Robyn the LockoutStatus.exe is the best tool to do this. I always used it to identify where the user is getting locked from.

Regards

Saturday, May 14, 2016 4:23 PM
0

Sign in to vote

Hi,

Thanks for your post.

Based on my experience, we could enable some audit settings and query corresponding Event logs to troubleshoot the account lockout issue.

First, please make sure you have enabled all the audits at the domain level.

Audit account logon events

https://technet.microsoft.com/en-us/library/cc787176(v=ws.10).aspx

Audit account logon events

https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx

Audit logon events

https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

Then enable below settings:

1. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Account Management

Configure: Audit User Account Management Success and Failure

2. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff

Configure: Audit Account Lockout to audit Success and Failure

Based on my experience, when an account is locked out, a 4740 event is logged in the Security log on the PDC of your domain. Every account lockout is recorded there in the security event log. The PDC emulator is a central place that can be queried for all account lockout events. Before looking for an event ID of 4740, we need to find the domain controller that holds the PDC emulator role. One way to do this is by using the Get-AdDomain cmdlet.

Then you could query the security event log for event ID 4740.

More articles for your reference:

Active Directory: Troubleshooting Frequent Account lockout

http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

Account Lockout and Management Tools
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Troubleshooting Account Lockout
http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Account Lockout Tools
http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

Best Regards,

Alvin Wang
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, May 16, 2016 2:08 AM
0

Sign in to vote

Thanks for your reply. Please confirm if I need to make above changes to the Default Domain Policy and not the Default Domain Controller Policy. I have configured the Default Domain Controller Policy. If you confirm, I will remove the settings from the Default Domain Controller Policy.
MPS

Tuesday, May 17, 2016 10:34 AM
0

Sign in to vote

Hello MPS,

Default Domain controller policy is the right one.

(auditing events) will be recorded in the Security event logs of respective Domain Controllers.
Devaraj G | Technical solution architect

Tuesday, May 17, 2016 10:53 AM
0

Sign in to vote

Thanks Devaraj. My only challenge is I'm not able to trace failed logins of the users which leads to the account lockout.
MPS

Tuesday, May 17, 2016 11:14 AM
0

Sign in to vote

Hi,

Generally, after enabling the related audit settings, you should be able to see which workstation user is trying to login from through the Event IDs when the user getting lockout.

Did you mean that there was no related Event IDs appear or no useful information was logged from the Event IDs?

Please run gpresult /h report.html from an elevated commandline, examine report.html and check whether:

a) your policy is applied

b) the setting in your policy is not overwritten by another policy

In addition, you could try to create a new GPO, enable necessary policies and link it to the OU instead of configuring the default domain policy. After that, reproduce user lockout and check if you can find Event 4740 on DC.

Best Regards,

Alvin Wang
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, May 18, 2016 7:26 AM
0

Sign in to vote

Hi,

Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

Best Regards,

Alvin Wang
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Friday, May 20, 2016 8:00 AM
0

Sign in to vote

Thanks Alvin for your reply. I have configured the audit related settings (as suggested above) in the Default Domain Controller Group Policy. No audit related settings are configured in the Default Domain Group Policy.

I'm getting Account Lockout related information in the event viewer of the Domain Controller after configuring these settings in the Default Domain Controller Policy. Since this policy applies only to Domain Controllers (and not to PCs joined to the domain) I did not run the gpresult command. I can tell you that this policy is applied to DCs after seeing the Account Lockout related events registred in the event viewer.

Please assist me with the below.

1. How to know the failed logins of the users and the corresponding workstations which leads to account lockout? I should see the information of all three failed logins.

2. Sometimes the calling workstation name reported in the event viewer is the Exchange CAS server which is also the OWA server. How to know the name of the workstation from where the user is attempting to log in.

3. The event viewer only reports the hostname of the PC. How to get the IP address of the workstation. Before migrating to Windows Server 2008 R2 and Windows Server 2012 R2 DCs, the Windows Server 2003 DCs were reporting the IP address of the workstation from where the failed logins were getting reported.
MPS

Friday, May 20, 2016 8:29 AM
0

Sign in to vote

> 1. How to know the failed logins of the users and the corresponding

> workstations which leads to account lockout? I should see the

> information of all three failed logins.

You need to review the security log on ALL domain controllers.

> 2. Sometimes the calling workstation name reported in the event viewer

> is the Exchange CAS server which is also the OWA server. How to know the

> name of the workstation from where the user is attempting to log in.

You cannot. This is most probably a device where the user has invalid

credentials in his mail account. Or he's entering these invalid

credentials in OWA. In both cases, the domain controller receives the

authentication request from Exchange.

> 3. The event viewer only reports the hostname of the PC. How to get the

> IP address of the workstation.

nslookup ?

Friday, May 20, 2016 10:58 AM
0

Sign in to vote

Thanks Martin.

1. I have 2 DCs and reviewed the Security log of both the DCs to see the failed login attempts. However the failed logins are not seen in the Event Viewer of any DC. Please suggest how to make the logins appear in the Event Viewer.

2. Fine.

3. I have many VSAT sites and the clients are in workgroup. Hence I nslookup does not server the purpose. Do we have any other option?
MPS

Friday, May 20, 2016 11:06 AM
0

Sign in to vote
> I have configured the audit related settings (as suggested above) in the

> Default Domain Controller Group Policy.

What exactly did you configure? If you are referring to

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/89abf0b3-3689-420f-b041-0ab491447e95#cc6fb887-9a82-4a24-8647-fafb0c24e9d8

- this will not audit logon events :)
- Proposed as answer by Alvwan Monday, May 23, 2016 6:46 AM
- Marked as answer by MPS-2011 Monday, May 23, 2016 6:52 AM
Friday, May 20, 2016 11:59 AM
0

Sign in to vote
Hi,

I recently reconfigured a Default Domain Controller Group Policy for Windows Server 2008 R2. This is my root DC and ADC is Windows Server 2012 R2. The policy I configured is to audit User Account Management where it shows the user whose account got locked out.

The account gets locked out only after 3 failed logon attempts. I unlock their accounts but do not know about their failed login attempts. Users are claiming that they have not entered incorrect password.

I want to have details of their failed logon attempts before the account gets locked out. I want to see which computer, with its hosrname and IP, they used where the first, second and third login attempt failed. Most users access the Outlook Web Access (Exchange Server 2013) and the User Account Management event indicates the calling computer as the CAS of Exchange Server 2013. I want to see here the actual computer name from where the user initiated a login. Few users share their password with their peers.

Please suggest how I can see all failed login attempts be it accessing shared folder on file server, local login to their workstations, login to any AD integrated application in the event viewer (security log) of the Domain Controller.

MPS

Hi
These are possibilies about lockout issue,
-Mapped network drives
-Logon scripts that map network drives
-RunAs shortcuts
-Accounts that are used for service account logons
-Processes on the client computers
-Programs that may pass user credentials to a centralized network program or middle-tier application layer
-Active sync devices (cell phone,etc..)

Also "Account lockout tool" could not use on server 2008&2012,so New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for,

https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/

This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

Hi

Check this previous post,you can identify the problem source with "Account lockout tools" and already mentioned you can use dsac.exe on ADAC...or3.rd party softwares.(manage engine,lepide,etc..)
This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur
- Proposed as answer by Alvwan Monday, May 23, 2016 6:46 AM
Friday, May 20, 2016 1:21 PM
0

Sign in to vote

> I have configured the audit related settings (as suggested above) in the

> Default Domain Controller Group Policy.

What exactly did you configure? If you are referring to

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/89abf0b3-3689-420f-b041-0ab491447e95#cc6fb887-9a82-4a24-8647-fafb0c24e9d8

- this will not audit logon events :)

Paste screenshot of your Audit settings.
Devaraj G | Technical solution architect

Friday, May 20, 2016 1:31 PM
0

Sign in to vote

Hi Martin ,

Not able to find lockout through ALtool and netlogon . I can't use third party tool into my environment .

How to enable Kerberos auditing .

Wednesday, July 5, 2017 2:26 AM
0

Sign in to vote

Hi Martin,

I am also facing account lockout issue on one of my member server.

I know the computer name which is sending Bad Password

There is no profile on the server for user whose account is getting locked

Steps which I took till now.

Cleared temp file

Clear Internet History and other things

Nothing in credential manager

No service or scheduled task is running with that user account

No disconnected session

Only Storage Services ( File and Storage) Role is installed

I used Microsoft Message Analyzer and found that user name is showing in CNAME String and LSASS.exe is the process but not able to see which app or service generated request

Kindly suggest

Thursday, December 20, 2018 10:23 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Auditing Why the User Account is Getting Locked Out

Question

Answers

All replies