none
AD LockOuts

    Question

  • Hi all,

    Bashing my head again the wall on this one. Large amounts of users reporting random account lockouts and increasing calls to the HD to unlock them. Admittedly I agree that some or majority of these are caused by pwd changes and users having an old device connected to email etc.

    However, a number of tech-savvy users are repeatedly having the issue for no apparent reason. No pwd changes have taken place recently on their AD accounts.

    Bit of background:Mix of Win2k3 and 2k8 R2 DCs, Exchange and Lync hosted in another Resources domain by another company, VPN remote access is used.

    So let me talk you through my situation as I recently was locked out.

    Boot laptop at home, Lync tries to connect and prompts for creds, ignore that and connect the corporate VPN. Open Outlook and then Lync connects OK. That's how I am told it should work. However, if you are connected sometimes to VPN then Outlook\Lync doesn't accept your creds and continually prompts you. If you try to enter them, they fail, even though the creds are correct. The accounts becomes locked out.

    One slight caveat to this, was one user who didn't get locked out when working at home, but the next day as soon as he connected to the LAN in the office he was locked out.

    I don't have any admin rights on the AD as it is hosted and managed by a 3rd party company who have blocked my request for this. But they have been able to use AD lockout tools and in some instances:

    Subject:

                    Security ID:                         S-1-5-18

                    Account Name:                 xxxxxxxxxxx$

                    Account Domain:                              UK

                    Logon ID:                             0x3e7

    Account That Was Locked Out:

                    Security ID:                         S-1-5-21-852109325-4236797708-1392725387-323219

                    Account Name:                 Ashley.Poxon

    Additional Information:

                    Caller Computer Name: TMG03","Microsoft-Windows-Security-Auditing","System.String[]","4740","01/03/2017 08:07:19","01/03/2017 08:07:19",,,

    "4740","xxxxxxxxxxx.domain.com","System.Byte[]","140873876","(13824)","13824","SuccessAudit","A user account was locked out.

    I have previously seen pre-auth issues when you use a mix of Win2k3 and 2k8 R2 DCs, is this potentially an issue here? I would have expected it to affect more users though?

    Am I right in thinking it could be the Lync \ Outlook clients and VPN issue? That's my gut feeling at the minute. Never a problem in the office.

    Thursday, March 2, 2017 9:57 AM

Answers

  • Hi

     You can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx

    Also these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, March 2, 2017 10:04 AM

All replies

  • Hi

     You can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx

    Also these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, March 2, 2017 10:04 AM
  • Just to confirm, have you tried Account Lockout and Management Tools from Microsoft ?

    You can download this from https://www.microsoft.com/en-in/download/details.aspx?id=18465

    Additional resource troubleshoot account lockout issues :

    Troubleshooting account lockout the PSS way

    Here is another informative article https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/ which covers few common root causes of account lockouts and do I resolve them.

    Hope, this helps you.

    Thursday, March 2, 2017 10:05 AM
  • Thanks Burak. Appreciate the response.

    I have just looked in ADAC and found my own account, which was locked out Wednesday morning. And I have logged into the domain everyday this week. However, the Modified fields are showing:

    Last Logon 28/02/2017

    Last Bad Logon 07/02/2017

    So them figures don't seem correct? Last BadLogon should have been showing 01/03/2017 as that is when I got lockedout?


    • Edited by AshPoxon Thursday, March 2, 2017 11:12 AM dqcs
    Thursday, March 2, 2017 10:28 AM
  • Check your account configure on a service,run to schedule task,etc..on different DC's.And also you can use 3.rd party tools for analyse.

    And on a custom DC which effects with lockout issue(with your account) check the traffic to find the source.

    https://www.wireshark.org/download.html


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, March 2, 2017 9:49 PM