none
AD Accounts getting locked out RRS feed

  • Question

  • We are having a problem where accounts get randomly locked out. It happens the most over the weekend. I have checked the event viewer and doesn't show the computer that the account was logging onto. I have Manage Engine ADAudit. It shows the user was trying to log on one of the domain controller then logging into another domain controller. We have had this problem for sometime. Can't find a reason for it, some users do have smartphones. But some of the users that get locked out don't have their email setup on their phones.  
    Monday, July 22, 2013 3:41 PM

All replies

  • Are your domain controllers syncing time correctly? Or in particular, the DC hosting the PDC-e role is syncing with a dedicated time server in your network that gets the time from the internet. Sometimes even with the correct settings entered, the changes don't take effect until a restart of the windows time service or even of the entire box.

    Are these VMs? If so, may need to ensure the time is not syncing with the host.

    What are your account/password policies? Best bet is to enable auditing of login events and check the security logs on the domain controllers and it will give an error code of the login failure, which will give a major clue to the root cause. 

    Good luck.

    Monday, July 22, 2013 4:10 PM
  • They look like they are syncing correctly. I haven't got any errors that they are not. All our servers are VMs, they are syncing to the main domain controller. The account is to get locked out after 5 failed attempts. I have checked the event viewer didn't give me much will look at it again. 
    Monday, July 22, 2013 5:02 PM
  • So we can say that the time is within the Kerberos time drift allowance (Default 5 mins; this is a GPO setting but do not remember the exact name).

    Be sure the service does not intermittently stop and that the VM settings explicitly deny syncing with the ost.

    As mentioned, you'd need to enable the logging in the Group Policy for failed login attempts and then check the security event logs.

    Also see:

    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    Monday, July 22, 2013 5:15 PM
  • Run DCDIAG and make sure DCs are replicating.  Also, Microsoft Account Lockout tool is great tool to identify these types of issues.

    Is it happening after they change the password?


    Santhosh Sivarajan | Houston, TX

    Windows 2012 Book - Migrating from 2008 to Windows Server 2012

    http://www.sivarajan.com/
    FaceBookTwitter LinkedIn SS Tech Forum
    This post is provided ASIS with no warran

    Monday, July 22, 2013 5:35 PM
    Moderator
  • We are having a problem where accounts get randomly locked out. It happens the most over the weekend. I have checked the event viewer and doesn't show the computer that the account was logging onto. I have Manage Engine ADAudit. It shows the user was trying to log on one of the domain controller then logging into another domain controller. We have had this problem for sometime. Can't find a reason for it, some users do have smartphones. But some of the users that get locked out don't have their email setup on their phones.  

    I would also second what Santosh said. Could indeed be a replication issue. Netlogon logging may be useful going forward....

    You mention that some users have smartphones. Are you implying the login is from the smartphone? If so, do these smartphones which experience the login issues not point to the DCs for authentication? At first I was thinking the users are logging in interactively to the DCs (which wouldn't make sense).

    Monday, July 22, 2013 9:44 PM
  • In addition see this Maintaining and Monitoring Account Lockout

    See this for using the eventcombmt http://social.technet.microsoft.com/wiki/contents/articles/4585.account-locked-out-troubleshooting.aspx

    Regards
    Biswajit Biswas
    My Blogs|TechnetWiki Ninja | Any ADDS Related Query;Post@http://aka.ms/addsforum | Any Security Related Query ;Post@http://aka.ms/adcsforum


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    • Edited by bshwjt Tuesday, July 23, 2013 3:30 AM updated
    Tuesday, July 23, 2013 3:03 AM
  • Hi,

    Any updates?

    Please feel free to let us know if yo need further assistance.

    Regards.


    Vivian Wang
    TechNet Community Support

    Monday, July 29, 2013 8:15 AM
    Moderator
  • For this you need to look in to the AD Accounts lock out examiner tool. Netwrix has this tool and that too an freeware and moreover please check the logs as this can be also a positive note for you just because there must be a logs that might have been created at the time of error. Please do check the password complexity also at the OU.

    Thanks.

    Monday, July 29, 2013 9:47 AM
  • There may be many other causes for account locked out.
    •user's account in stored user name and passwords
    •user's account tied to persistent mapped drive
    •user's account as a service account
    •user's account used as an IIS application pool identity
    •user's account tied to a scheduled task
    •un-suspending a virtual machine after a user's pw as changed
    •A SMARTPHONE!!!

    For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

    Here are two toolsets that can help
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
    and
    http://www.netwrix.com/account_lockout_examiner.html

    Paul Bergson's User Account Lockout Troubleshooting
    http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

    Using the checked Netlogon.dll to track account lockouts
    http://support.microsoft.com/kb/189541

    If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.
    On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

    If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
    http://support.microsoft.com/kb/962007

    Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

    Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.
     


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, July 29, 2013 5:45 PM
  • Hello,

    I'm writing to ask how about the question's present status. If there is anything we can do for you, please feel free to reply this post directly so we will be alerted to follow up.

    Regards,

    Deva

    Sunday, August 4, 2013 5:50 PM
  • It could be due to Conficker virus. Please run Mcafee conficker detection tool to check whether any PC's are  affected

    Download link : http://www.mcafee.com/us/downloads/free-tools/conficker-detection.aspx 

    Please follow below to clean conficker

    Download Conficker removal tool ( http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3 ) and run it

    Also you may refer below link to troubleshoot Account lockout

    http://msexchangeguru.com/2012/03/08/ad-lockout/

    Sunday, August 4, 2013 7:46 PM
  • They look like they are syncing correctly. I haven't got any errors that they are not. All our servers are VMs, they are syncing to the main domain controller. The account is to get locked out after 5 failed attempts. I have checked the event viewer didn't give me much will look at it again. 

    You said all your servers are VM, so what's the platform is it VMware or Hyper on which you are running domain controller? Are you aware when you are running DC on HYperV, you shouldn't disable the time integration services completely?

    http://blogs.msdn.com/b/virtual_pc_guy/archive/2010/11/19/time-synchronization-in-hyper-v.aspx

    Did you check the schedule task or script might be the reason or lockout. I would suggest, if nothing works, use wireshark or netmon tool to capture the traffic & see what comes.

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/cddbf977-b98f-4783-8226-ebddab54d002/account-lockout


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, August 5, 2013 1:16 AM
    Moderator
  • Hello,

    ALTools.exe contains tools that assist you in managing accounts and in troubleshooting account lockouts. 

    http://www.microsoft.com/en-in/download/details.aspx?id=18465

    This also could be the reason for Conficker virus in the domain,

    Please follow the below steps to remove the “Conficker” worm completely,

    1.        Disconnect the infected computer from the network and the Internet.
    2.        Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 andMS09-001
    3.        Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
    4.        Install the updated anti-virus program.
    5.        Re-connect the PC to the network and the Internet. 

    You might also want to disable Autorun.

    Regards,

    Deva

    Monday, August 5, 2013 6:33 AM