none
AD account locked out RRS feed

  • Question

  • I reset my password and my account began to lock out. I set my password back to the original, but the account continues to lock out. Using accountlockoutstatus from Sysinternals I was able to determine the domain controller that is receiving the failed attempt (it's always the same DC). I parsed through the typical security events on the the DC receiving the failures and the PDC, but the offending computer is just showing as LOCALHOST and I can't find an IP address. I used Netwrix Account lockout examiner, but I receive the exact same information... I can't find the offending device. I ran a script to find all machines on the domain where the account is logged in or has a disconnected status. I logged out of all the machines and my account didn't lockout for a day. However, the next morning it was locked out again. I ran the script again and I found no sessions. We map drives with group policy, but this account has never had mapped drives. The account is not used on any mobile devices, and I have not cached credentials. 

    How can I find the offending device?

    Thank you in advance for your help!!!

    Tuesday, January 15, 2019 4:41 PM

All replies

  • Can you post the event you're seeing on the DC?

    hth
    Marcin

    Tuesday, January 15, 2019 4:59 PM
  • use Autoruns (SYSINTERNAL) to check schedule Task and services

    renew Password

    check Exchange W3C Logs

    other question: how do you find machines on Domains? can you post the script?


    Chris

    Wednesday, January 16, 2019 6:07 AM
  • You can try to use EventCombMT to collect all possibly related events from your DCs and see if you can get additional information: https://support.microsoft.com/en-us/help/824209/how-to-use-the-eventcombmt-utility-to-search-event-logs-for-account-lo

    If you identify the source device then you can check on the services, drives, ...

    The task itself and troubleshooting may be very tricky so you may want to think about the lockout policy you are implementing and see if it is not worth it to invest in 2FA and other compensating controls (Like Microsoft ATA) instead of having lockout policies which may tricky to manage operationally.


    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Wednesday, January 16, 2019 8:09 AM
  • or

    Get-EventLog -LogName Security | ?{$_.message -like "*userid*"} | fl -property *


    Chris

    Wednesday, January 16, 2019 8:12 AM
  • TIPP: we use ADAduit Plus. It helps very good to find Lockout People and other things

    https://www.manageengine.com

    Today a user was locked. ADAudit Plus shows other machine! User doesn't logoff from other Computer and Change pwd on here Computer. We found the Problem in 2min.


    Chris

    Friday, January 18, 2019 9:05 AM
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 22, 2019 8:38 AM
    Moderator