none
Domai account locked out frequently.

    Question

  • My network had 2 DC. The problme is with one user who changed his account before the expiry and now his account is getting locked frequently.
    I even changed his password to old one from DC in order to check any authentication issue from any other mobile device but still this lock out is happening regularly. How can we find out why it is happening OR anytime of lockout event.

    We do have the citrix xenservers in order to access users their domain account.

    Tuesday, July 3, 2012 2:25 PM

Answers

  • Have you used any of the Microsoft account status/lockout tools.  Great blog entry with links to the tools here 

    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    The suggestion of a network trace/#4 has helped me track down several of these issues.

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Tuesday, July 3, 2012 2:39 PM
  • Hi,

    Make suer that all workstations, server and DCs are updated with latest patches, service packs and AV updates.

    There may be many other causes for account locked out.
    •user's account in stored user name and passwords
    •user's account tied to persistent mapped drive
    •user's account as a service account
    •user's account used as an IIS application pool identity
    •user's account tied to a scheduled task
    •un-suspending a virtual machine after a user's pw as changed
    •A SMARTPHONE!!!
    •could be a virus issue.

    Additionally, you may refer below links and threads for Account Lockout Troubleshooting.

    use Account Lockout and Management Tool.
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

    Also Netwrix has got good tool to find out account lockout.
    https://www.netwrix.com/account_lockout_troubleshooting.html

    Troubleshooting Account Lockouts the PSS way
    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    Same thread issue discussion
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/aaa59d9d-09f6-4127-93a1-2d855237c22f


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Tuesday, July 3, 2012 3:45 PM
  • Do you see any service running under this user?  It might be using the old password.

    Also, you will see the Account lockout event ID with source computer information. 

    Mike has provided information about Account Lockout tools.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Tuesday, July 3, 2012 4:01 PM
    Moderator
  • Hi,

    Since the account lockout issue could be caused by many factors, such as Programs, Service accounts, Low bad password threshold AD replication and Redundant credentials. In order to narrow down the cause of the account lockout issue, I suggest we try to enable Auditing policy, Netlogon Logging and Kerberos Logging to capture the information about the accounts that are being locked out.

    Enable Auditing at the Domain Level

    To view the Auditing policy settings, in the Group Policy MMC, double-click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy. Enable auditing for the event types listed in the previous section.

    Enable Kerberos event logging on a computer

    1. Click Start, click Run, type regedit, and then press ENTER.
    2. Add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters registry value to the registry key:
      • Registry value: LogLevel
      • Value type: REG_DWORD
      • Value data: 0x1

              If the Parameters registry key does not exist, create it.

    1. Close Registry Editor and restart the computer.

    Enable Netlogon logging

    To enable debug logging, set the debug flag that you want in the registry and restart the service by using the following steps:

    1. Start the Regedt32 program.
    2. Delete the Reg_SZ value of the following registry entry, create a REG_DWORD value with the same name, and then add the 2080FFFF hexadecimal value.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag

    1. At a command prompt, type net stop netlogon, and then type net start netlogon. This enables debug logging.
    2. To disable debug logging, change the data value to 0x0 in the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag

    1. Quit Regedt32.
    2. Stop Net Logon, and then restart Net Logon.

    For details about troubleshooting account lockout issue, please refer to the articles below.

    Troubleshooting Account Lockout

    http://technet.microsoft.com/en-us/library/cc773155(v=ws.10)

    Maintaining and Monitoring Account Lockout

    http://technet.microsoft.com/en-us/library/cc776964.aspx

    Account Lockout Tools

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    Regards,

    Andy

    Wednesday, July 4, 2012 6:48 AM
    Moderator

All replies

  • Have you used any of the Microsoft account status/lockout tools.  Great blog entry with links to the tools here 

    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    The suggestion of a network trace/#4 has helped me track down several of these issues.

    Thanks

    Mike


    http://adisfun.blogspot.com
    Follow @mekline

    Tuesday, July 3, 2012 2:39 PM
  • Hi,

    Make suer that all workstations, server and DCs are updated with latest patches, service packs and AV updates.

    There may be many other causes for account locked out.
    •user's account in stored user name and passwords
    •user's account tied to persistent mapped drive
    •user's account as a service account
    •user's account used as an IIS application pool identity
    •user's account tied to a scheduled task
    •un-suspending a virtual machine after a user's pw as changed
    •A SMARTPHONE!!!
    •could be a virus issue.

    Additionally, you may refer below links and threads for Account Lockout Troubleshooting.

    use Account Lockout and Management Tool.
    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

    Also Netwrix has got good tool to find out account lockout.
    https://www.netwrix.com/account_lockout_troubleshooting.html

    Troubleshooting Account Lockouts the PSS way
    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    Same thread issue discussion
    http://social.technet.microsoft.com/Forums/en-US/winservergen/thread/aaa59d9d-09f6-4127-93a1-2d855237c22f


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


    Tuesday, July 3, 2012 3:45 PM
  • Do you see any service running under this user?  It might be using the old password.

    Also, you will see the Account lockout event ID with source computer information. 

    Mike has provided information about Account Lockout tools.


    Santhosh Sivarajan | Houston, TX
    http://www.sivarajan.com/

    FaceBook Twitter LinkedIn SS Tech Forum

    This posting is provided AS IS with no warranties,and confers no rights.

    Tuesday, July 3, 2012 4:01 PM
    Moderator
  • Hi,

    Since the account lockout issue could be caused by many factors, such as Programs, Service accounts, Low bad password threshold AD replication and Redundant credentials. In order to narrow down the cause of the account lockout issue, I suggest we try to enable Auditing policy, Netlogon Logging and Kerberos Logging to capture the information about the accounts that are being locked out.

    Enable Auditing at the Domain Level

    To view the Auditing policy settings, in the Group Policy MMC, double-click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy. Enable auditing for the event types listed in the previous section.

    Enable Kerberos event logging on a computer

    1. Click Start, click Run, type regedit, and then press ENTER.
    2. Add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters registry value to the registry key:
      • Registry value: LogLevel
      • Value type: REG_DWORD
      • Value data: 0x1

              If the Parameters registry key does not exist, create it.

    1. Close Registry Editor and restart the computer.

    Enable Netlogon logging

    To enable debug logging, set the debug flag that you want in the registry and restart the service by using the following steps:

    1. Start the Regedt32 program.
    2. Delete the Reg_SZ value of the following registry entry, create a REG_DWORD value with the same name, and then add the 2080FFFF hexadecimal value.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag

    1. At a command prompt, type net stop netlogon, and then type net start netlogon. This enables debug logging.
    2. To disable debug logging, change the data value to 0x0 in the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag

    1. Quit Regedt32.
    2. Stop Net Logon, and then restart Net Logon.

    For details about troubleshooting account lockout issue, please refer to the articles below.

    Troubleshooting Account Lockout

    http://technet.microsoft.com/en-us/library/cc773155(v=ws.10)

    Maintaining and Monitoring Account Lockout

    http://technet.microsoft.com/en-us/library/cc776964.aspx

    Account Lockout Tools

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    Regards,

    Andy

    Wednesday, July 4, 2012 6:48 AM
    Moderator
  • Thanks guys.. The cukprit was McAfee EPO server were the user had given his credential for AD sync and he forget to change it there after his routine password change.

    Wednesday, July 11, 2012 1:51 PM