none
Auditing User lockout

    Question

  • Good morning,

    I'm trying to troubleshoot a lock out issue.  I know what PC is locking the user account but I can't find which program is doing it on this server.  Any ideas?  I can't find any instances of event id 4625 on the server that is locking the account.  I bet I have to enable some more logging.  Any ideas?

    Thanks,

    Tim

    Tuesday, January 10, 2017 4:11 PM

All replies

  • You can start with what Paul recommended here: https://dirteam.com/paul/2012/04/23/user-account-lockout-troubleshooting/

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Tuesday, January 10, 2017 11:42 PM
  • Hi Tim,

    I'm trying to troubleshoot a lock out issue.  I know what PC is locking the user account but I can't find which program is doing it on this server.  Any ideas?

    >>>To achieve your goal, you need configure the setting Audit process tracking and Audit logon events underthe path below.

    Compute Configurations\Windows Settings\Security Settings\Local Policies\Audit Policy

    For more information, please refer to the article below.

    Troubleshooting: Identify Source of Active Directory Account Lockouts

    http://woshub.com/troubleshooting-identify-source-of-active-directory-account-lockouts/#acc-0

    In addition, you could also use Account Lockout Status Tool to troubleshooting.

    Troubleshooting Active Directory Account Lockout

    https://blog.krissmilne.tech/active-directory/troubleshooting-account-lockout

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 11, 2017 1:52 AM
    Moderator
  • Seems like, above references should help you to short out this weird account lockout issue.

    You may also take a look at below article which covers the common root cause of account lockouts and how to resolve them - https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/

    Wednesday, January 11, 2017 7:52 AM
  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    And you can configure advanced security audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dn319056%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, January 11, 2017 8:05 AM
  • Hi Tim,

    Are there any updates?

    If the reply above has resolved your problem, please mark it as answer as it would be helpful to anyone who encounters the similar issue.

    Thank you.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 19, 2017 7:49 AM
    Moderator
  • You can also enable netlogon to have detail look what is going on and cause the account to lockout.
    Thursday, January 19, 2017 11:12 AM
  • Hi Tim

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 23, 2017 6:10 AM
    Moderator