Re: How to locate the source of an account being locked out?

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 01/28/05 

Date: Thu, 27 Jan 2005 18:37:50 -0600

If you enable auditing of account management in Domain Controller Security
Policy and Domain Security Policy, account management for Event ID 644 will
be recorded when the account is locked out. You can then use Event Comb to
search for those events on domain controllers and domain computers to find
those events and it should help you track down the computer that is
initiating the lockout. Another thing you could try is to enable netlogon
logging and then check the netlogon log on the domain controller for failed
logons tracing back to the offending computer via transitive logon. Once you
find the problem computers you will have to see what the cause is. Usually
it is due to a user being logged onto multiple computers [including a
Terminal Services logon] , cached application credentials, stored user
credential for Windows XP, persistent mapped drives, Scheduled Tasks, or a
service using the users domain credentials [probably not very likely]. The
links below will help. Note that MS recommends that the account lockout
threshold be no less than ten bad attempts assuming you enforce strong
passwords on the domain. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en

"Wayne Gore" <WayneGore@discussions.microsoft.com> wrote in message
news:264657F0-970A-4C3F-8A3A-FF8423B395BB@microsoft.com...
> Hi
>
> In our network we have about 40 domain controllers spread out on 35
> different sites. An IS user just contacted me and said that after he
> changed
> his password, his account was locking out a couple of times per day.
>
> How can I find the source where the account is being locked out?
>
> Regards
> Wayne

Relevant Pages

  • RE: User template question
    ... Account tab). ... A new logon script was also assigned from the Profile tab. ... I'm afraid that your purpose cannot be achieved through User Template. ... Deploys software to user computers. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outlook 2003 sporadically fails POP authentication
    ... No other party had access to or polled my account at that time. ... Both of my computers are connected to a Netgear router with integral hub. ... Next, presuming the problem persists, I'll switch ... problem didn't occur prior to that upgrade. ...
    (microsoft.public.outlook.general)
  • Re: Custom rights
    ... create an account he goes thru the process fine until I arrive to the "Create ... > By default any user can log onto a server other than domain controller. ... > To add computers to the domain go to AD Users and Computers. ... >> Look into AD delegation, though you may need to do some custom delegation. ...
    (microsoft.public.win2000.security)
  • RE: Win 2000 service needs to access Win 2003 Web Server data
    ... The domain account "usr_test" has the permission of reading a log files ... However, for your application, I think if both of the two computers has one ... Microsoft Online Partner Support ...
    (microsoft.public.win32.programmer.networks)
  • Re: Windows XP Home Networking Permissions
    ... When i set up the network, the laptop can see and access the desktop no ... 'view network computers', it says "you do not have permission". ... XP home uses "Guest" file-sharing. ... However, if there IS a matching account on the host computer, then the Guest ...
    (microsoft.public.windowsxp.network_web)