Re: How to locate the source of an account being locked out?

From: Wayne Gore (WayneGore_at_discussions.microsoft.com)
Date: 01/28/05 

Date: Thu, 27 Jan 2005 23:39:04 -0800

Thanks for the information Steven.
I will see if I finally can find the source of my problem.

Cheers
Wayne

"Steven L Umbach" wrote:

> If you enable auditing of account management in Domain Controller Security
> Policy and Domain Security Policy, account management for Event ID 644 will
> be recorded when the account is locked out. You can then use Event Comb to
> search for those events on domain controllers and domain computers to find
> those events and it should help you track down the computer that is
> initiating the lockout. Another thing you could try is to enable netlogon
> logging and then check the netlogon log on the domain controller for failed
> logons tracing back to the offending computer via transitive logon. Once you
> find the problem computers you will have to see what the cause is. Usually
> it is due to a user being logged onto multiple computers [including a
> Terminal Services logon] , cached application credentials, stored user
> credential for Windows XP, persistent mapped drives, Scheduled Tasks, or a
> service using the users domain credentials [probably not very likely]. The
> links below will help. Note that MS recommends that the account lockout
> threshold be no less than ten bad attempts assuming you enforce strong
> passwords on the domain. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en
>
> "Wayne Gore" <WayneGore@discussions.microsoft.com> wrote in message
> news:264657F0-970A-4C3F-8A3A-FF8423B395BB@microsoft.com...
> > Hi
> >
> > In our network we have about 40 domain controllers spread out on 35
> > different sites. An IS user just contacted me and said that after he
> > changed
> > his password, his account was locking out a couple of times per day.
> >
> > How can I find the source where the account is being locked out?
> >
> > Regards
> > Wayne
>
>
>

Relevant Pages

  • XP Logon nightmare
    ... I am having the exact same error message. ... Logon failure: user account restriction. ... Not only are the other four computers are still able to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: new Administrative Group or new Storage Group?
    ... where are the properties located for confiuring a user account to be ... able to only use OWA. ... I'd suggest you experiment but prohibiting interactive logon ... >> restrict their AD account to logon to any computers. ...
    (microsoft.public.exchange.admin)
  • Re: new Administrative Group or new Storage Group?
    ... Student logon or something like ... where are the properties located for confiuring a user account to be ... >>> restrict their AD account to logon to any computers. ... How can I make it so the student mailboxes will be displayed by ...
    (microsoft.public.exchange.admin)
  • Administrator cant logon to his domain workstation as administrator
    ... My workstation fell out of the domain and I cant get it back in! ... Then I noticed it would not logon when rebooted. ... The administrator cant login to his own account ... No domain computers can get to me, ...
    (microsoft.public.win2000.active_directory)
  • Re: Domain Admins Account.... Locked Out ever 15 minutes
    ... You probably have an account on a machine that has an old password in it. ... Run LockoutStatus.exe from the link below and select the security template. ... > We have two Domain Controllers at headquarter, and two Domain Controllers, ... > Logon Failure: ...
    (microsoft.public.windows.server.active_directory)