locked
Locked Account RRS feed

  • Question

  • Hi,

    Is there a tool which can find couse of locked account. We have few users which have problem with this and it would be good if there is a tool which can show if some device or something else cousing this.

    Best Regards,

    Blake

    Thursday, April 14, 2016 6:32 AM

Answers

  • Hi,

    you can use the eventcombtmt.exxe tool and it is really helpful troubleshoot collecting logs fro multiple DC's.

    You have to add the event id at end of all predefined event id for account lockout events 4740 here in tool you can see the predefined bulletin features events capturing for account lockout.

    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 6:57 AM
  • Hi,

    Is there a tool which can find couse of locked account. We have few users which have problem with this and it would be good if there is a tool which can show if some device or something else cousing this.

    Best Regards,

    Blake


    Possible reasons;

    - Mapped network drives

    - Logon scripts that map network drives

    - RunAs shortcuts

    - Accounts that are used for service account logons

    - Processes on the client computers

    - Programs that may pass user credentials to a centralized network program or middle-tier application layer

    - Activesync devices.(cell phone,etc)

    Also you can check with "Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 7:58 AM
  • Hi,

    Thanks for your post.

    Based on my experience, we could enable some audit settings and query corresponding Event logs to troubleshoot the account lockout issue.

    First, please make sure you have enabled all the audits at the domain level.

    Audit account logon events

    https://technet.microsoft.com/en-us/library/cc787176(v=ws.10).aspx

    Audit account logon events

    https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx

    Audit logon events

    https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

    Then enable below settings:

    1. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Account Management

    Configure: Audit User Account Management Success and Failure

    2. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff

    Configure: Audit Account Lockout to audit Success and Failure

    Based on my experience, when an account is locked out, a 4740 event is logged in the Security log on the PDC of your domain. Every account lockout is recorded there in the security event log. The PDC emulator is a central place that can be queried for all account lockout events. Before looking for an event ID of 4740, we need to find the domain controller that holds the PDC emulator role. One way to do this is by using the Get-AdDomain cmdlet.

    Then you could query the security event log for event ID 4740.

    More articles for your reference:

    Active Directory: Troubleshooting Frequent Account lockout

    http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

    Account Lockout and Management Tools
    http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
      

    Troubleshooting Account Lockout
    http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

    Account Lockout Tools
    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 8:01 AM
  • You can also checkout this informative article which summarizes few nice ideas in order to troubleshoot account lockouts : http://www.lepide.com/blog/troubleshoot-ad-account-lockouts/
    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 11:04 AM

All replies

  • Hi,

    you can use the eventcombtmt.exxe tool and it is really helpful troubleshoot collecting logs fro multiple DC's.

    You have to add the event id at end of all predefined event id for account lockout events 4740 here in tool you can see the predefined bulletin features events capturing for account lockout.

    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 6:57 AM
  • Hi,

    Is there a tool which can find couse of locked account. We have few users which have problem with this and it would be good if there is a tool which can show if some device or something else cousing this.

    Best Regards,

    Blake


    Possible reasons;

    - Mapped network drives

    - Logon scripts that map network drives

    - RunAs shortcuts

    - Accounts that are used for service account logons

    - Processes on the client computers

    - Programs that may pass user credentials to a centralized network program or middle-tier application layer

    - Activesync devices.(cell phone,etc)

    Also you can check with "Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 7:58 AM
  • Hi,

    Thanks for your post.

    Based on my experience, we could enable some audit settings and query corresponding Event logs to troubleshoot the account lockout issue.

    First, please make sure you have enabled all the audits at the domain level.

    Audit account logon events

    https://technet.microsoft.com/en-us/library/cc787176(v=ws.10).aspx

    Audit account logon events

    https://technet.microsoft.com/en-us/library/cc737542(v=ws.10).aspx

    Audit logon events

    https://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

    Then enable below settings:

    1. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Account Management

    Configure: Audit User Account Management Success and Failure

    2. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff

    Configure: Audit Account Lockout to audit Success and Failure

    Based on my experience, when an account is locked out, a 4740 event is logged in the Security log on the PDC of your domain. Every account lockout is recorded there in the security event log. The PDC emulator is a central place that can be queried for all account lockout events. Before looking for an event ID of 4740, we need to find the domain controller that holds the PDC emulator role. One way to do this is by using the Get-AdDomain cmdlet.

    Then you could query the security event log for event ID 4740.

    More articles for your reference:

    Active Directory: Troubleshooting Frequent Account lockout

    http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

    Account Lockout and Management Tools
    http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
      

    Troubleshooting Account Lockout
    http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

    Account Lockout Tools
    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 8:01 AM
  • Thank you everyone, I was able to find something in event viewer and that is exchange server ip address. It must be some device which is trying to auth with wrong pass. 
    Thursday, April 14, 2016 9:47 AM
  • You can also checkout this informative article which summarizes few nice ideas in order to troubleshoot account lockouts : http://www.lepide.com/blog/troubleshoot-ad-account-lockouts/
    • Proposed as answer by Alvwan Friday, April 15, 2016 2:00 AM
    • Marked as answer by Alvwan Friday, April 22, 2016 8:03 AM
    Thursday, April 14, 2016 11:04 AM