Announcement

Collapse
No announcement yet.

Account lock-outs on AD.

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Account lock-outs on AD.

    Our support desk has been experiencing a number of consistant account lock-outs for some time now, it appears to be the same users all the time of which there are around 10.

    The other 400+ users don't experience the problem.

    This is a Windows 2003 AD Domain with around 55 DC's, the above users with problems aren't using the same DC to authenticate.

    Any ideas where to look or what to look at because event logs don't really reveal anything and our Windows engineers have run out of ideas?

  • #2
    Re: Account lock-outs on AD.

    There are many things to consider in this scenario such as virus, any schedule task running on behalf of those account, any service running on those account etc.

    If this is happening after changing the password for those users then possibility on the above are bright. If not then check out the 2nd method.

    Use account lockout and management tool set from microsoft. You can use
    LockoutStatus.exe to identify from which particular DC these lockouts are first reported or coming from. Then use EventCombMT.exe to identify the ip addresses of the workstations or servers from where its generating the invalid logins. Consolidate the IPs and check the systems for schedule tasks, services, anti-virus signatures etc..




    Comment


    • #3
      Re: Account lock-outs on AD.

      Originally posted by jainal View Post
      There are many things to consider in this scenario such as virus, any schedule task running on behalf of those account, any service running on those account etc.

      If this is happening after changing the password for those users then possibility on the above are bright. If not then check out the 2nd method.

      Use account lockout and management tool set from microsoft. You can use LockoutStatus.exe to identify from which particular DC these lockouts are first reported or coming from. Then use EventCombMT.exe to identify the ip addresses of the workstations or servers from where its generating the invalid logins. Consolidate the IPs and check the systems for schedule tasks, services, anti-virus signatures etc..
      Thanks for the reply.

      These are user accounts and most definitely not service accounts, one of the problem users is our department head.

      I'm not familiar with EventCombMT could you explain briefly how I should use it?

      Comment


      • #4
        Re: Account lock-outs on AD.

        I am not talking about service accounts but users with admin rights can also run a service by their account in the logon option.

        Open EventCombMT.exe (double-click) on a member server, specify the domain name, click on searches-> built in searches-> select "account lockouts". In the log file to search select "security" and in event types select all that apply such as failure audit,error,warning etc.

        A file will be generated. take out the ip address and see from which ip maximum lockouts are coming from..

        Comment


        • #5
          Re: Account lock-outs on AD.

          Hi mate,

          I had the same problem at my company of about 700 users, about 5 were experiencing this problem.

          In my case I found that everytime Adobe updater was trying to update, it would lockup the users account. It kept trying to update, hence the account kept being locked out.

          I stopped the Adobe Updater.exe process and that fixed it, I then uninstalled all Adobe updater software but the next day it happened again, so I checked task manager and there it was again Adobe Updater, so I deleted the source of the exe file and that fixed it.

          Dan

          Comment


          • #6
            Re: Account lock-outs on AD.

            Bleek,

            What's the situation now? Have you found the cause of it?

            Comment

            Working...
            X