This topic is resolved

Share

This topic contains 4 replies, has 4 voices, and was last updated by  Jim Jones 6 years, 6 months ago.

  • Author
    Posts
  • #13772
     Jim Jones 
    Moderator
    Post count: 19
    Member Points: 15
    Rank: Level 1

    Hello all, I’ve done this the hard way quite a bit but I was wondering if anybody has a great way to track down a user repeated lockout issue with AD. I just got done fixing one user (user’s password had changed and iPhone hadn’t been updated to access the wireless via NPS) but it was literally an all day process to track down where the user was having issues. Is there a product or script that can automate this process? Syslog maybe?

    0
  • #13773
     Sitaram Pamarthi 
    Participant
    Post count: 4
    Member Points: 13
    Rank: Level 1

    I haven’t done this in recent past but ~5 years back I used to do it frequent enough. So, here is the procedure I used to follow. Check out if that helps.

    1) Find the DC where account is locked first: I used LockoutStatus.exe(download from http://www.microsoft.com/en-in/download/details.aspx?id=18465) get this information.
    2) Look at the netlogon logs(enable debug logging if you want) to determine the IP address/computername that is sending wrong credentials.

    This way we are closer to the problem. We know the computer that is sending wrong credentials but we still need to determine where are these wrong credentials stored. We can check services, scheduled tasks, or any other third party software running on this computer to find out the place where old credentials are saved.

    0
  • #13774
     Joseph Moody 
    Moderator
    Post count: 55
    Member Points: 1,733
    Rank: Level 1

    I actually like using PowerShell to find that information now. I keep these scripts loaded into my ADUC for easy reach.

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx

    0
  • #13775
     Michael Pietroforte 
    Keymaster
    Post count: 1798
    Member Points: 22,535
    Author of the year 2018
    Rank: Level 1

    First thing I check in case of account lockouts is the event log. On the PDC you should see the event ID 4740, the account name and the computer name. I don’t know how an iPhone would appear there, but I guess it should be possible to identify it. It is always a good idea to monitor failed logons with an event log management tool that allows you to centrally collect crucial event log messages. The best free event log tool I know is EventSentry Light. That way you never have to search for event log messages in your domain because you have it all in a central database.

    0
  • #13777
     Jim Jones 
    Moderator
    Post count: 19
    Member Points: 15
    Rank: Level 1

    Great ideas guys, I’ll give these a shot the next time the issue arises.

    0

You must be logged in to reply to this topic.

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account