none
User logins incorrectly returning that user is locked out

    Question

  • Hi:

    I have a network running one domain controller (Windows Server 2008 R2) with Windows 7 client computers joined to domain.  Inconsistently users are receiving message that they're locked out when trying to logon with their domain user.  But AD Users & Computers does not show the user profile as locked.  Usually after a few logon attempts the login will be successful.  I've checked security event logs on servers for ID 4625 failed logon attempts but cannot find any correlation with "locked out" users.  On-premise Exchange server exists in domain but also no correlation between occasional failed logon attempts on Exch. server an this larger problem.

    Thanks,
    Bob H.


    Bob Herman IT Tropolis

    Tuesday, January 24, 2017 11:11 PM

Answers

  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    and you can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by J PhilipBanned Wednesday, January 25, 2017 9:11 AM
    • Marked as answer by Bob Herman Thursday, January 26, 2017 12:32 AM
    Wednesday, January 25, 2017 6:42 AM

All replies

  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    and you can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by J PhilipBanned Wednesday, January 25, 2017 9:11 AM
    • Marked as answer by Bob Herman Thursday, January 26, 2017 12:32 AM
    Wednesday, January 25, 2017 6:42 AM
  • Hi Burak:

    Thanks for the info!  I've configured the advanced audit policy GPO.  

    I'm getting lots of failed 4776 events (credential validation) for the users that were getting locked out, which makes sense.  However, the security log doesn't give me much info. about where the attempted logons are coming from.  The source workstation is often null, or a ws name that does not exist on the network, and the log does not contain the IP address from which the request was made.  Also, it's hard to filter on the affected user since they are not listed as the User in the log, which is N/A for these events.  They are listed as the "logon account" in the info. but there's no way to filter on that info.

    Looks like I need to look for a 3rd party tool.

    Thank you,
    Bob H.



    Bob Herman IT Tropolis

    Thursday, January 26, 2017 12:44 AM