Account Lockout

[Guest]

Is there a utility that can be used to determine where a particular account
is getting locked out from. I have a user's account that is getting locked
out periodically. Most likely it's due to some service attempting to log in
under that users' account. The account has been getting locked out from time
to time since his last password change.

I don't want to have to search the security event logs from all the
computers and servers on our network. Is there an easier way?

TIA,
Ken

 

[Ryan Hanisco]

If you think it is an issue where there is a repeated failed logon, you can
see this if you turn on auditing of domain logons. In general, you should
have this on for both Failure and Success as it will alert you to a number
of potential problems/ threats.

Do this via a GPO and watch for failed logon attempts. Other than that, you
can go into more detailed auditing looking for changes to accounts, but this
will probably be unnecessary if you think this is just due to failed
attempts.

 

[Guest]

I have the auditing turned on. I was hoping there was a utility that could
prevent me from having to go to the 40+ servers and 70+ workstations
individually to look for the failed login attempts.

 

[ptwilliams]

There's a free MS utility re. lockouts.
--
http://www.microsoft.com/downloads/...1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en

I've not got round to playing with it yet, so can't tell you if it's exactly
what you want or not.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


I have the auditing turned on. I was hoping there was a utility that could
prevent me from having to go to the 40+ servers and 70+ workstations
individually to look for the failed login attempts.

 

[Mark Renoden [MSFT]]

Hi

The tool that Paul points to is useful. I find it more useful in context
with some other tools:

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Also review:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

What I generally do to troubleshoot these problems is:

1. Use lockoutstatus to determine which DC's the bad password attempts are
registering again.

2. Enable auditing (as per the document above) and look for lockout events.

3. From the lockout events, determine which clients they originate from.

4. Look at the frequency of events to determine if it's a user issue or
process driven.

5. If user related, educate user.

6. If process related, implement Alockout.dll to find the offending process.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Richard Mueller [MVP]]

Hi,

The tools referenced may be better, but I have used a script to find all
locked out users and for each show the DC that locked them out, when the
last bad password was attempted, and how many bad password attempts were
made on the DC. The program is linked here:

http://www.rlmueller.net/LockedUsers.htm

As noted, the output just flags the problems.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--

Hi

The tool that Paul points to is useful. I find it more useful in context
with some other tools:

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Also review:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

What I generally do to troubleshoot these problems is:

1. Use lockoutstatus to determine which DC's the bad password attempts are
registering again.

2. Enable auditing (as per the document above) and look for lockout events.

3. From the lockout events, determine which clients they originate from.

4. Look at the frequency of events to determine if it's a user issue or
process driven.

5. If user related, educate user.

6. If process related, implement Alockout.dll to find the offending process.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: (e-mail address removed)

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

There's a free MS utility re. lockouts.
--
http://www.microsoft.com/downloads/...1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en

I've not got round to playing with it yet, so can't tell you if it's
exactly
what you want or not.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


I have the auditing turned on. I was hoping there was a utility that could
prevent me from having to go to the 40+ servers and 70+ workstations
individually to look for the failed login attempts.