none
How to trace AD Account locked out issue via netlogon? RRS feed

  • Question

  • Hi Expert,

    we are using Ms.WIndows Server 2008 R2 for our AD server,

    currently, one of our user are always getting locked out after changing password due to expiry.

    I have tried to isolate the mobile phone, wifi, shared drive mappings, etc. however, I still can't find the culprit. Currently, I am using Microsoft account locked out tools to trace from which DC the account is being locked out and then I am going to the DC to check from where it is locked out from. However, the result it seems to be misleading. it is always show from one of our exchange transport server and the source ip address is not recognized. I tried to trace the ip address via who is ip but can't really found the location of this IP. it is definitely not private ip address, so I can't trace it at all.

    I have read that it is possible to track account locked out via netlogon. may I know how to enable this log?

    thanks

    Tuesday, June 28, 2016 1:32 PM

Answers

  • Hi; you've asked how to track the locked out account via Netlogon log files; the answer is you can enable debug logging for Netlogon service by following this link:

    https://support.microsoft.com/en-us/kb/109626


    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, June 28, 2016 1:47 PM
  • Hi Henry,

    Thanks for your post.

    To trace account lockout, you could use the account lockout tool to achieve your goal. The tool could gather information below:

    1. Mapped network drives
    2. Logon scripts that map network drives
    3. RunAs shortcuts
    4. Accounts that are used for service account logons
    5. Processes on the client computers
    6. Programs that may pass user credentials to a centralized network program or middle-tier application layer

    For more information, you could refer to the article below.

    Account Lockout Tools

    https://technet.microsoft.com/en-us/library/cc738772%28v=ws.10%29.aspx

    You could also run script which has been provided by the article below to gather account lockout information.

    Tracing the Source of Account Lockouts

    https://blogs.technet.microsoft.com/poshchap/2014/05/16/tracing-the-source-of-account-lockouts/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 29, 2016 8:07 AM
    Moderator

All replies

  • Hi; you've asked how to track the locked out account via Netlogon log files; the answer is you can enable debug logging for Netlogon service by following this link:

    https://support.microsoft.com/en-us/kb/109626


    Best Regards, Todd Heron | Active Directory Consultant

    Tuesday, June 28, 2016 1:47 PM
  • Hi Henry,

    Thanks for your post.

    To trace account lockout, you could use the account lockout tool to achieve your goal. The tool could gather information below:

    1. Mapped network drives
    2. Logon scripts that map network drives
    3. RunAs shortcuts
    4. Accounts that are used for service account logons
    5. Processes on the client computers
    6. Programs that may pass user credentials to a centralized network program or middle-tier application layer

    For more information, you could refer to the article below.

    Account Lockout Tools

    https://technet.microsoft.com/en-us/library/cc738772%28v=ws.10%29.aspx

    You could also run script which has been provided by the article below to gather account lockout information.

    Tracing the Source of Account Lockouts

    https://blogs.technet.microsoft.com/poshchap/2014/05/16/tracing-the-source-of-account-lockouts/

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, June 29, 2016 8:07 AM
    Moderator