This topic is resolved
- Wed, May 15 2013 at 10:39 am #13772Jim JonesModeratorPost count: 19Member Points: 15Rank: Level 1
Hello all, I’ve done this the hard way quite a bit but I was wondering if anybody has a great way to track down a user repeated lockout issue with AD. I just got done fixing one user (user’s password had changed and iPhone hadn’t been updated to access the wireless via NPS) but it was literally an all day process to track down where the user was having issues. Is there a product or script that can automate this process? Syslog maybe?0
- Wed, May 15 2013 at 10:52 am #13773Sitaram PamarthiParticipantPost count: 4Member Points: 13Rank: Level 1
I haven’t done this in recent past but ~5 years back I used to do it frequent enough. So, here is the procedure I used to follow. Check out if that helps.
1) Find the DC where account is locked first: I used LockoutStatus.exe(download from http://www.microsoft.com/en-in/download/details.aspx?id=18465) get this information.
2) Look at the netlogon logs(enable debug logging if you want) to determine the IP address/computername that is sending wrong credentials.
This way we are closer to the problem. We know the computer that is sending wrong credentials but we still need to determine where are these wrong credentials stored. We can check services, scheduled tasks, or any other third party software running on this computer to find out the place where old credentials are saved.0
- Wed, May 15 2013 at 12:09 pm #13774Joseph MoodyModeratorPost count: 55Member Points: 1,733Rank: Level 1
I actually like using PowerShell to find that information now. I keep these scripts loaded into my ADUC for easy reach.0
- Wed, May 15 2013 at 12:42 pm #13775Michael PietroforteKeymasterPost count: 1798Member Points: 22,535Rank: Level 1
First thing I check in case of account lockouts is the event log. On the PDC you should see the event ID 4740, the account name and the computer name. I don’t know how an iPhone would appear there, but I guess it should be possible to identify it. It is always a good idea to monitor failed logons with an event log management tool that allows you to centrally collect crucial event log messages. The best free event log tool I know is EventSentry Light. That way you never have to search for event log messages in your domain because you have it all in a central database.0
- Wed, May 15 2013 at 3:04 pm #13777Jim JonesModeratorPost count: 19Member Points: 15Rank: Level 1
Great ideas guys, I’ll give these a shot the next time the issue arises.0
You must be logged in to reply to this topic.