Announcement

Collapse
No announcement yet.

Trace locked out account

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Trace locked out account

    Some dumb user's account (um, it's mine) gets locked out 2-3 times per day and I can't get to the bottom of it.

    I'm a server admin so am constantly doing a lot of "stuff". I do know my account is not associated with any services or scheduled tasks.

    If I run Microsoft's lockoutstatus tool I do indeed see my account as locked out, and the DC's that list a bad PW count, but the event logs on these or any of my DC's show nothing.

    Via group policy we have 'audit account logon events' enabled for failures and 'audit account logon' fully enabled.

    Any hints on how to discover what box these bad pw attempts are coming from?

  • #2
    Re: Trace locked out account

    If there's no logon failures that are triggering the lockout then maybe someone is manually disabling the account.

    What version of Windows are your DCs running? If it's 2008 then the auditing has been enhanced. It will audit changes, tell you the previous config, the current config, who made the change, etc. That may help in tracking down the issue.
    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx
    Regards,
    Jeremy

    Network Consultant/Engineer
    Baltimore - Washington area and beyond
    www.gma-cpa.com

    Comment


    • #3
      Re: Trace locked out account

      There's no way it's manual. Win2003 DC.

      Comment


      • #4
        Re: Trace locked out account

        If it's not done manually then failure audits should be generated in the security log of the DC(s). If none are there then auditing isn't configured correctly.
        Regards,
        Jeremy

        Network Consultant/Engineer
        Baltimore - Washington area and beyond
        www.gma-cpa.com

        Comment


        • #5
          Re: Trace locked out account

          Hi,

          We recently saw an issue with an account locking .... we found out that the user had a disconnected session on the server and the password was reset .....

          once the disconnected session was killed then the account lock thing resolved

          Comment


          • #6
            Re: Trace locked out account

            Also, check if you have any Mapped network drives across the network which is still using your old password.

            Comment


            • #7
              Re: Trace locked out account

              Thanks guys. Still have not got to the bottom of this, will post if I figure it out.

              I've already scanned my domain for all RDP sessions and logged out.

              I have no mapped drives on my workstation.

              I have not recently changed my PW.

              Comment


              • #8
                Re: Trace locked out account

                Finally got this, it was a process on a Linux server I configured with my account. Kind of makes sense this non-domain box would not show up in MS logs.

                More specifically in case anyone Googles this someday: it was a VMWare virtual appliance called vMA, I had manually configured my vCenter server using the vifp addserver command.

                Comment


                • #9
                  Re: Trace locked out account

                  Even though it's a Linux OS it's still authenticating against AD. So if the failure events were not showing on any of the DC's then auditing is not configured correctly to capture the account logon events.

                  Glad you were able to figure out the issue. Thanks for posting back.
                  Regards,
                  Jeremy

                  Network Consultant/Engineer
                  Baltimore - Washington area and beyond
                  www.gma-cpa.com

                  Comment

                  Working...
                  X