none
Users account keeps getting locked out-2008 R2 Std RRS feed

  • Question

  • hello all

    we have a user who is in a basic windows 2008 R2 Ad environment whose account keeps getting locked out for no reason every 5 minutes. Another engineer removed all passwords from her credentials manager, and we noticed her account was locked out again the next day. her account didn't lock out for the rest of the afternoon after her credentials were cleared from cred manager. she is running windows 7 pro x64, does not use a mobile device nor has ever, do not see any security logs on the PDC. i appreciate any ideas or thoughts

    Thursday, October 13, 2016 7:36 PM

Answers

  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    And you can configure advanced security audit to find the source;

    https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Friday, October 14, 2016 1:02 AM
    • Marked as answer by AlvwanModerator Tuesday, October 25, 2016 2:05 AM
    Thursday, October 13, 2016 7:50 PM

All replies

  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    And you can configure advanced security audit to find the source;

    https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Friday, October 14, 2016 1:02 AM
    • Marked as answer by AlvwanModerator Tuesday, October 25, 2016 2:05 AM
    Thursday, October 13, 2016 7:50 PM
  • Hi,

    Thanks for your post.

    Based on my experience, we could enable some audit settings and query corresponding Event logs to troubleshoot the account lockout issue.

    First, please make sure you have enabled all the audits at the domain level.

    Audit account logon events

    https://technet.microsoft.com/en-us/library/cc976367.aspx

    Audit logon events

    https://technet.microsoft.com/en-us/library/cc976395.aspx

    Then enable below settings:

    1. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Account Management

    Configure: Audit User Account Management Success and Failure

    2. Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\Logon/Logoff

    Configure: Audit Account Lockout to audit Success and Failure

    When an account is locked out, a 4740 event is logged in the Security log on the PDC of your domain. Every account lockout is recorded there in the security event log. The PDC emulator is a central place that can be queried for all account lockout events. Before looking for an event ID of 4740, we need to find the domain controller that holds the PDC emulator role. One way to do this is by using the Get-AdDomain cmdlet.

    Then you could query the security event log for event ID 4740.

    More articles for your reference:

    Active Directory: Troubleshooting Frequent Account lockout

    http://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx

    Account Lockout and Management Tools
    http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
      

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 14, 2016 6:44 AM
    Moderator
  • Hi,

    There are tons of reason why it can lock out. Almost 90% of the time we find users having credentials setup on a tablet or phone that they didn't think about or have forgotten about.

    Download the following tool:

    https://www.microsoft.com/en-za/download/details.aspx?id=15201

    It will tell you on which DC the account was locked out. Then connect to that dc and look for the security event that the Lockoutstatus tool shows. The event will show you which ip of hostname is locking the account.

    If you see an Exchange server here the user almost definitely has got a device configured.

    Thanks

    Friday, October 14, 2016 11:57 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 19, 2016 8:57 AM
    Moderator