none
lockout

    Question

  • Hi

    I have a user complaining that is he is locked several time a day.

    i have checked in lockout tool and i can see he is not locked anywhere. but i can see he has bad password counts.( out of 25 dcs i can see in 5 dcs one wrong password )

    How do i troubleshoot from here.

    Which is the event id to check from where he has typed wrong pwd or where he is trying to.

    Experts i am new to AD please do guide me.

    Wednesday, March 29, 2017 6:40 PM

Answers

  • Hi

    Also these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    And you can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 29, 2017 8:06 PM
  • so in those 5 DC,s you have to see what time the bad password was sent.

    Secondly, you need to have some way of archiving those events or access to those events, that way ,if you open the bad password event, you will see the source of the lockout.

    event id should be 4776 or 4625 or 4771... 

    Thursday, March 30, 2017 4:59 PM

All replies

  • Hi

    Also these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    And you can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 29, 2017 8:06 PM
  • so in those 5 DC,s you have to see what time the bad password was sent.

    Secondly, you need to have some way of archiving those events or access to those events, that way ,if you open the bad password event, you will see the source of the lockout.

    event id should be 4776 or 4625 or 4771... 

    Thursday, March 30, 2017 4:59 PM