none
AD user account always locked out randomly RRS feed

  • Question

  • Hi,

    I have little problem here, but it was been big issue and impacted to our daily bussiness and operation.

    So many user account locked out randomly, and also happened to my user account few days ago. I was unlocked, but it happening again to another account. Suddenly their account was locked out, while we have make sure to all users that no bad password there. Each user login correctly on their computer or other device.

    Event when the user account was locked out, so i checking on the AD server and windows event viewer, then i unlock the account. Someday the same account can be locked out again suddenly.

    Is it possible this issue caused by something except virus/malware? and how the best step to troubleshoot and solving this case?

    Thanks.

     

    Sunday, April 7, 2019 12:02 PM

All replies

  • Hi Bar Kah,

    To find the sources of your account lockout please use the Account lockout status tool and follow the below steps to avoid the account lockouts .

    Download Account Lockout Status (LockoutStatus.exe)

    Link to download :

    https://www.microsoft.com/en-in/download/details.aspx?id=15201

    1. Check your network drive mappings  -Reconnect your old drives with updated password
    2. Cached Email Password -A cached email password (outlook) can cause this as well.  Disconnect from your mail server and re-create the connection with updated password.
    3. Scheduled tasks- Clear any not in use tasks created by user on system & update the password in task scheduler if any configured by user.
    4. Services-Check any services that you may have set up under user's login on system that may contain a former password. 
    5. Browser cache –Clear the browser cache & if any password stored by user.
    6. Mobile Devices –Verify if you have any mobile devices configured with the old domain credentials and update the new password in those devices.


    Regards,

    Ramabadran Vasudevan

    Please don't forget to mark Propose as answer, to help others who have the same issue.


    Sunday, April 7, 2019 2:17 PM
  • Hi Bar Kah,

    To find the sources of your account lockout please use the Account lockout status tool and follow the below steps to avoid the account lockouts .

    Download Account Lockout Status (LockoutStatus.exe)


    Does that tool even work? More importantly, does it read through the security event log on the DC's to find the source computer that generated the lockout event. That's the real key in finding what machine is locking out a user account.

    This might be a better tool. https://silentcrash.com/2018/06/using-powershell-to-trace-the-source-of-account-lockouts-in-active-directory/


    • Edited by MotoX80 Sunday, April 7, 2019 2:48 PM
    Sunday, April 7, 2019 2:40 PM
  • Hi Bar Kah,

    To find the sources of your account lockout please use the Account lockout status tool and follow the below steps to avoid the account lockouts .

    Download Account Lockout Status (LockoutStatus.exe)

    Link to download :

    https://www.microsoft.com/en-in/download/details.aspx?id=15201

    1. Check your network drive mappings  -Reconnect your old drives with updated password
    2. Cached Email Password -A cached email password (outlook) can cause this as well.  Disconnect from your mail server and re-create the connection with updated password.
    3. Scheduled tasks- Clear any not in use tasks created by user on system & update the password in task scheduler if any configured by user.
    4. Services-Check any services that you may have set up under user's login on system that may contain a former password. 
    5. Browser cache –Clear the browser cache & if any password stored by user.
    6. Mobile Devices –Verify if you have any mobile devices configured with the old domain credentials and update the new password in those devices.


    Regards,

    Ramabadran Vasudevan

    Please don't forget to mark Propose as answer, to help others who have the same issue.



    Sunday, April 7, 2019 5:03 PM
  • Hello,
    Thank you for posting in our TechNet forum.

    We can try the following steps to troubleshoot the issue:

    Usually, we can configure the audit policy on the domain controller (PDC) to confirm which client or server (source computer) locks out the account.

    1. Apply Audit Policy to the PDC under this location:
    Default Domain Policy: Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration -> Audit Policies

    Account Management -> Configure all items as Success and Failure
    Account Logon -> Configure all items as Failure

    2. On the DC, run the following command to make sure the audit policies have been applied.
    auditpol /get /category:*
    OR
    auditpol /get /category:* >C:\path\filename.txt




    3. On the client , try to type wrong password more than threshold value we defined (that is the times the wrong password is entered, the account will be locked automatically), if the user account is locked. Go to domain controller(PDC), in the Security Log, check whether we received the following Event (PDC->Event Viewer->Windows Logs->Security Log)
    4740      A user account was locked out.

    4. Within this Event log, we can see the resource computer (the caller computer name is the resource computer name).


    5. Please on the source computer, apply the following Audit Policies (local group policy edit):
    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration -> Audit Policies

    Logon/Logoff ->Configure all items as Failure.
    Detailed Tracking -> Configure all items as Success and Failure.

    6. Reproduce the issue on the source computer, or once the account is locked again, then unlock the account manually and logon the source computer again, combining the time stamp of Event 4740, we can see the detailed process was launched on the source computer’s Security Log while Event 4740 was reported.


    Reference:
    4740(S): A user account was locked out.
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 8, 2019 5:14 AM
    Moderator
  • Hi

    Did you tried any of the above recommendations.


    Regards,

    Ramabadran Vasudevan

    Please don't forget to mark Propose as answer, to help others who have the same issue.

     

    Monday, April 8, 2019 2:53 PM
  • Hi All,

    Thanks for your adviced.

    We have configured the Advanced Audit Policy Configuration on the domain controller as recommended by Daisy Zhou. We found all the caller computer source by event 4740 on the DC server event viewer, then our team do checking to the computer source to find out the suspicious program like virus/malware there. But we didn't find anything, everything is normaly.

    And we also has cleared all the credential cache (on the browser, applications, network drive mapping, etc) of each user to avoid bad login attempt.

    On next day, the same user account can be locked out again.

    It is like any something at the DC server or at the network maybe, that triggering account to login using bad password, like brute force attack. Can you imagine, in one day we can get more than hundreds user account that locked out. 

    It is any other solution to solve this problem?

    Thanks.

    Tuesday, April 9, 2019 3:01 PM
  • So it is only one machine that is generating the account logon failures? Is this a server or a workstation? Does the problem occur at the same time every day? Or every 4 hours or something like that? Have you reviewed the security eventlog on that machine to see if other machines are connecting to it?

    Configure the advanced auditing on that machine as well to see if it gives you more evidence.  

     
    Tuesday, April 9, 2019 4:13 PM
  • Hi,
    Whether all the user accounts are locked out in one specific machine or any machine?
    Or whether any user account can be locked out in any machine?

    If we find the caller computer, do we perform the step 5 and step 6 continuously and try to find the detailed process?

    5. Please on the source computer (caller computer name), apply the following Audit Policies (local group policy edit):
    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration -> Audit Policies
    Logon/Logoff ->Configure all items as Failure.
    Detailed Tracking -> Configure all items as Success and Failure.

    6. Reproduce the issue on the source computer, or once the account is locked again, then unlock the account manually and logon the source computer again, combining the time stamp of Event 4740, we can see the detailed process was launched on the source computer’s Security Log while Event 4740 was reported.


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 10, 2019 2:04 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 12, 2019 1:59 AM
    Moderator
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know. 
     
    Again thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 15, 2019 1:52 AM
    Moderator
  • Hi 

    I would like to know about the current situation here.

    I hope the above recommendations provided by us  and Daisy Zhou (MSFT CSG) answered your queries.

    If you have any feedback, Please let us know to support you further.

    Regards,

    Ramabadran Vasudevan

    Please don't forget to mark Propose as answer, to help others who have the same issue.If you feel this content is beneficial , vote it .

    Wednesday, April 17, 2019 10:13 AM