Best ideas for tracking down a random user's account constant lockout problem?

This topic is resolved

Share
Viewing 4 reply threads
  • Author
    Posts
    • #13772
      Jim Jones
      Moderator
      • Topics: 10
      • Replies: 15
      Post count: 19
      Member Points: 15
      Rank: Level 1

      Hello all, I’ve done this the hard way quite a bit but I was wondering if anybody has a great way to track down a user repeated lockout issue with AD. I just got done fixing one user (user’s password had changed and iPhone hadn’t been updated to access the wireless via NPS) but it was literally an all day process to track down where the user was having issues. Is there a product or script that can automate this process? Syslog maybe?

      0
    • #13773
      Sitaram Pamarthi
      Participant
      • Topics: 0
      • Replies: 4
      Post count: 4
      Member Points: 13
      Rank: Level 1

      I haven’t done this in recent past but ~5 years back I used to do it frequent enough. So, here is the procedure I used to follow. Check out if that helps.

      1) Find the DC where account is locked first: I used LockoutStatus.exe(download from http://www.microsoft.com/en-in/download/details.aspx?id=18465) get this information.
      2) Look at the netlogon logs(enable debug logging if you want) to determine the IP address/computername that is sending wrong credentials.

      This way we are closer to the problem. We know the computer that is sending wrong credentials but we still need to determine where are these wrong credentials stored. We can check services, scheduled tasks, or any other third party software running on this computer to find out the place where old credentials are saved.

      0
    • #13774
      Joseph Moody
      Moderator
      • Topics: 1
      • Replies: 46
      Post count: 56
      Member Points: 1,813
      Rank: Level 3

      I actually like using PowerShell to find that information now. I keep these scripts loaded into my ADUC for easy reach.

      http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx

      0
    • #13775
      Michael Pietroforte
      Keymaster
      • Topics: 170
      • Replies: 662
      Post count: 1944
      Member Points: 26,264
      Author of the year 2018
      Rank: Level 4

      First thing I check in case of account lockouts is the event log. On the PDC you should see the event ID 4740, the account name and the computer name. I don’t know how an iPhone would appear there, but I guess it should be possible to identify it. It is always a good idea to monitor failed logons with an event log management tool that allows you to centrally collect crucial event log messages. The best free event log tool I know is EventSentry Light. That way you never have to search for event log messages in your domain because you have it all in a central database.

      0
    • #13777
      Jim Jones
      Moderator
      • Topics: 10
      • Replies: 15
      Post count: 19
      Member Points: 15
      Rank: Level 1

      Great ideas guys, I’ll give these a shot the next time the issue arises.

      0
Viewing 4 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2020

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account