All replies

• 

  

  0

  Sign in to vote

  Are these users are using handheld devices?You need to sort out its user or computer generating lockout events. You need to look for login failure event ID's in the security log of the DC's. There is a tool from the netwrix and it work lot of time for me tracing account lockout.

  Netwrix has a good tool, give a try.

  https://www.netwrix.com/account_lockout_troubleshooting.html

  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/cddbf977-b98f-4783-8226-ebddab54d002/

  ---

  Awinish Vishwakarma - MVP - Directory Services

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  
  

  • Edited by Vinod RamakrishnaMicrosoft contingent staff Monday, October 12, 2015 9:30 AM HTTPS instead of HTTP

  Sunday, June 3, 2012 9:20 AM
• 

  

  0

  Sign in to vote

  Hi, I use this tool in a very large environment with multiple DC's to get he lockout source. The easiest way is to take the lockout DC (Remember the PDC will always show the lockout too) and take the exact time of the last lock. Get the DC Security event log then go to the exact time the lockout occurred. You should see some of the events you need then, and in the description etc, you will see the source of the lockout......You may already know this, buthope it helps...

  DCD

  Sunday, June 3, 2012 9:29 AM
• 

  

  0

  Sign in to vote

  Hi Awinish,

  Yes the user who complained this morning is using iPhone and accessing email on Exchange through Active Sync.

  What are the Event IDs i should look for?
  

  Netwrix is the licensed software.

  Is there any free tool?
  

  Does native Event log in Win2008R2 show the source of Account Lockout and type of application trying to logon?

  Regards,

  Maqsood

  ---

  Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

  Sunday, June 3, 2012 10:05 AM
• 

  

  0

  Sign in to vote

  Hi,

  I just got another user locked out and i run the tool Account Lockout Mgmt and checked the lockout time and followed the time stamp to filter the events on DC and i found "Event 4771 - Kerberos pre-authentication failed".

  

  Why would this happen?

  User said he didn't try any bad password actually he is using biometrics login so there is no question of typing in the password.

  Please suggest.

  Regards,

  maqsood

  ---

  Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

  Sunday, June 3, 2012 11:28 AM
• 

  

  0

  Sign in to vote

  Hi, it would appear that the lockout tool "6 bad passwords", AND the security logs confirm that a bad password has been attempted. Now, I'm noit a kerberos expert, but if memory serves, "pre-auth" is when kerberos passes the password etc to the DC, so it would appear that everything pointsat a bad password. Can you not try a login yourslef using a standard windows machine/reset it for the user and try it yourself? How can you be absolutley sure the password hasnt been changed? Maybe you have a first-line SD that has done it? Happens ALL the time in my organisation:-)

  Regards

  DCD

  • Proposed as answer by paulemis Friday, October 17, 2014 8:00 AM

  Sunday, June 3, 2012 3:14 PM
• 

  

  0

  Sign in to vote

  Maqsood,

  Event ID for account lockout for windows server 2008 R2 is 4740. As per my experiecne you have microsoft account lockout status tool which will yield you the information from where account is getting locked.

  Account lockout are due to following reasons

  • If any of the schdule task is running with user account old creadetials
  • If any of the services are running with user account old credentials
  • IF any of the network drive mapped with users account old credentails
  • If user is using a smartphone where his old credentails are cached.

  You need to follow below steps to find out the source of the account lockout

  1. Download microsoft lockout status tool from below link

    http://www.microsoft.com/en-us/download/details.aspx?id=15201

  2. Install it on domain controller

  3. Put the target name (user account which is getting locked) on target tab

  4.It will list out Date/time and DC on which account lock out events are happening

  5.Check the Latest date and time and DC name,. Login to the DC where the evet is getting generated.

  6.Go to security event------>search for 644 (microsoft Server 203) or 4740 (W2K8 /windows server 2008 R2)----->open the event

  7.It will list the account information and Computer name from which account is gettng locked

  8.Login to the computer and check for any services or schduled task

  Hope this information helps
  

  Regards,

  _Prashant_

  ---

  MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  Monday, June 4, 2012 6:00 AM
• 

  

  1

  Sign in to vote

  You can use Netwrix tool, which is free for  20 days & see if it helps you. You can also look think of inspecting your environvenemt for conficker worm.

  https://www.netwrix.com/account_lockout_examiner.html

  http://www.sophos.com/en-us/products/free-tools/conficker-removal-tool.aspx

  ---

  Awinish Vishwakarma - MVP - Directory Services

  My Blog: awinish.wordpress.com

  Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  
  

  • Marked as answer by Maqsood Mohammed Sunday, June 10, 2012 11:19 AM
  • Edited by Vinod RamakrishnaMicrosoft contingent staff Monday, October 12, 2015 9:29 AM HTTPS instead of HTTP

  Monday, June 4, 2012 8:57 AM
• 

  

  0

  Sign in to vote

  If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm
  On th DC check the security log event id 644 will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

  If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
  http://support.microsoft.com/kb/962007

  Also make suer that all the PC as well are server are patched and latest verus defination is present all PC.

  Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

  There may be many other causes for account locked out.
  •user's account in stored user name and passwords
  •user's account tied to persistent mapped drive
  •user's account as a service account
  •user's account used as an IIS application pool identity
  •user's account tied to a scheduled task
  •un-suspending a virtual machine after a user's pw as changed
  •A SMARTPHONE!!!

  For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

  You can also install Account Lockout and Management Tool:http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
  http://4sysops.com/archives/free-account-lockout-tools-view-lockout-status-and-unlock-account/

  Refer below link for more step on trroubleshooting account lockout.
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8/
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1c7e66a4-6a81-4118-89df-2e290852c3cc/

  Hope this helps

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  • Proposed as answer by Arthur_LiMicrosoft contingent staff Wednesday, June 6, 2012 4:10 AM

  Monday, June 4, 2012 11:34 AM
• 

  

  0

  Sign in to vote

  Have you checked on this computer (FPG.Gloabl) if the user has:
  A scheduled task which use his password?
  A service which uses his password?
  A mapped drive which uses his password?
  http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx

  --
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security+, BS CSci
  2008, Vista, 2003, 2000 (Early Achiever), NT4
  http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
  Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

  • Proposed as answer by Arthur_LiMicrosoft contingent staff Wednesday, June 6, 2012 4:09 AM

  Monday, June 4, 2012 12:03 PM
• 

  

  0

  Sign in to vote

  Hi Guys,

  Thanks everyone for valuable suggestions.

  I am off for a week i shall update you the status on Monday.

  Regards,

  Maqsood

  ---

  Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

  Monday, June 4, 2012 2:41 PM
• 

  

  0

  Sign in to vote

  Hello Everyone,

  I am not seeing any account lockouts from a week now.

  I believe it is happening only when user changes the password and they are having some king of network map or application which is storing their credentials other wise i don't see any issues with AD.

  Regards,

  Maqsood

  ---

  Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

  Sunday, June 10, 2012 11:18 AM