Re: How to locate the source of an account being locked out?

From: Wayne Gore (WayneGore_at_discussions.microsoft.com)
Date: 01/28/05 

Date: Thu, 27 Jan 2005 23:39:04 -0800

Thanks for the information Steven.
I will see if I finally can find the source of my problem.

Cheers
Wayne

"Steven L Umbach" wrote:

> If you enable auditing of account management in Domain Controller Security
> Policy and Domain Security Policy, account management for Event ID 644 will
> be recorded when the account is locked out. You can then use Event Comb to
> search for those events on domain controllers and domain computers to find
> those events and it should help you track down the computer that is
> initiating the lockout. Another thing you could try is to enable netlogon
> logging and then check the netlogon log on the domain controller for failed
> logons tracing back to the offending computer via transitive logon. Once you
> find the problem computers you will have to see what the cause is. Usually
> it is due to a user being logged onto multiple computers [including a
> Terminal Services logon] , cached application credentials, stored user
> credential for Windows XP, persistent mapped drives, Scheduled Tasks, or a
> service using the users domain credentials [probably not very likely]. The
> links below will help. Note that MS recommends that the account lockout
> threshold be no less than ten bad attempts assuming you enforce strong
> passwords on the domain. --- Steve
>
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en
>
> "Wayne Gore" <WayneGore@discussions.microsoft.com> wrote in message
> news:264657F0-970A-4C3F-8A3A-FF8423B395BB@microsoft.com...
> > Hi
> >
> > In our network we have about 40 domain controllers spread out on 35
> > different sites. An IS user just contacted me and said that after he
> > changed
> > his password, his account was locking out a couple of times per day.
> >
> > How can I find the source where the account is being locked out?
> >
> > Regards
> > Wayne
>
>
>

Relevant Pages

  • Re: Please help refresh my memory on AD DC
    ... When I boot my Laptop I reach the Logon screeen for XP Laptop and here ... admin account to be able to Login so I can control it from the DC. ... A domain user can by default logon to any domain computer, except Domain controllers. ... A Server has websites already hosted on it in a Workgroup and now I ...
    (microsoft.public.windows.server.active_directory)
  • XP Logon nightmare
    ... I am having the exact same error message. ... Logon failure: user account restriction. ... Not only are the other four computers are still able to access the ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Urgent: All AD users are locked out
    ... Can you logon to any of your domain controllers? ... Specifically, look at the value for Caller Machine Name, which should tell you where the account lockouts are originating from. ... If you cannot logon to any of your DCs, then try rebooting in DSRM and accessing the event log for the above information. ... we have an w2k3 domain environment, with more than 300 users account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: new Administrative Group or new Storage Group?
    ... where are the properties located for confiuring a user account to be ... able to only use OWA. ... I'd suggest you experiment but prohibiting interactive logon ... >> restrict their AD account to logon to any computers. ...
    (microsoft.public.exchange.admin)
  • Re: Alerting - Malicious software removal tool
    ... >needed to install an application that she could not install from ... >"Administrator" account. ... You failed to analyze the root cause and correct it ... use their computers to have fun. ...
    (microsoft.public.security.virus)