Home | Site Map | Cisco How ToNet How To | Wireless |Search | Forums | Services | Donations | Careers | About Us | Contact Us|

Troubleshooting domain account lockout

Permissions, Group Policy, IPSec, Virus, Spam, Spyware, Malware.

Troubleshooting domain account lockout

Postby blin » Wed Apr 13, 2016 2:27 pm

Situation: We are running Windows 2008 R2 as DC. Recently, our boss account keeps getting Account lockout. Sometimes, after we just unlock the account, it locks in just 5 minutes.
1. The Audit Policy: successful and Failed have been enable in Default Group Policy.
2. When Searching the user's first name and Failure in the Security Even Viewer, it shows ID 4776, but it doesn't give the caller computer. It gives only Credential Validation computer.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/13/2016 9:17:40 AM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: dc1.chicagotech.net
Description:
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: 50028
Source Workstation: bob-PC
Error Code: 0xc0000070

3. Have the user restart all his computers and mobile devices.

Resolution: search Event ID 4740 which is Audit Success meaning "A user account was locked out" and it will point to the caller Computer. For example,
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 4/13/2016 10:03:39 AM
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: dc1.chicagotech.net
Description:
A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DC02$
Account Domain: chicagotech
Logon ID: 0x3e7

Account That Was Locked Out:
Security ID: chicagotech\blin
Account Name: blin

Additional Information:
Caller Computer Name: bob-pc2
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: Troubleshooting domain account lockout

Postby blin » Wed Apr 13, 2016 3:35 pm

References: quoted from Microsoft:

Client side
Perform the below steps on client side (Local desktop / Laptop)
• Check If a Local User Account is present with the same Name as AD account, If same ID is available, Rename local ID to some other ID.
• Clear Temporary Files
• Delete Cookies / Temp Files / History / Saved passwords / Forms / from all the Browsers.
• Start — > Run –> Temp –> Delete all temp files.
• Start –> Run –> Prefetch –> Delete all Prefetch files.
• Remove Mapped drives from my computer. My Computer –> Right click on Shared drive –> click on Disconnect
• If Adobe reader is installed, backend it will be trying to check for latest update, Delete the Adobe updater file from below path. Delete the AdobeUpdater.dll file in the folder C:\Program Files\Adobe\Reader version \Reader
• Remove stored passwords from Control Panel
• Start –> Run –> Type Control UserPasswords2 , Click on Advanced managed passwords and delete all the passwords
• Remote unwanted applications from startups (Run –> msconfig –> startup –> Uncheck unwanted software’s)
• Scan the entire HDD and update the Antivirus agent
• Check the third party software’s installed on client side, If it’s not required, Uninstall.
• Open the Task Scheduler (Run --> Tasks) and delete the unwanted tasks. Most of the time, Automatic backup / Google Update / Apple Updates will be installed by default) Remove all.
• Uninstall Auto update software’s in control panel (You can update these software’s manually)
• If user’s account acts as a service account (Update the latest password in Service).
• User’s account used as an IIS application pool identity.

Mobile Devices
Perform the below steps on Mobile devices / Smart phone (BYOD)
If user recently changed password and forgot to update in Mobile devices, that cause the account lockout for user ID,
Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO’s), it locks his account. Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).
• Go to account settings in Mobile device and update the latest password.
• Reboot the device if required.
• Is issue persists, Delete and reconfigure the device,
• If you found that account is getting locked from mobile device, and unable to fix the by performing above steps, Take necessary backup and Wipe the device completely and reconfigure the device.

Server / Active Directory
User below tools to find out source of the account lockout - On Server
1. Account Lockout and Management Tool.
http://www.microsoft.com/download/en/de ... n&id=18465
2. Netwrix is also a good tool to find out account lockout.
https://www.netwrix.com/account_lockout_examiner.html
3. Troubleshooting Account Lockouts the PSS way
http://blogs.technet.com/b/instan/archi ... s-way.aspx
4. Use account lockout tools to find out more information,<
http://technet.microsoft.com/en-us/libr ... 8772(WS.10).aspx
5. Refer below article for Best practices and Standards<
http://technet.microsoft.com/en-us/libr ... 3155(WS.10).aspx
6. Track the account lockouts using the checked Netlogon.dll
http://support.microsoft.com/kb/189541
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA

Re: Troubleshooting domain account lockout

Postby blin » Wed Apr 13, 2016 3:37 pm

Also please refer to these pages:

Logon Failure: Account locked out - ChicagoTech.net
http://www.chicagotech.net/troubleshooting/event539.htm
Event ID 539 - Logon Failure: Account locked out. Windows Logon Types. Symptoms: The server Event Viewer lists Event ID 539: Logon Failure: Reason: ...

One account locked every 5 minutes - ChicagoTech.net
chicagotech.net › Board index › IT Forums › Security
Jul 2, 2012 - 3 posts - 1 author
One of our Mac user accounts is locked every 5 minutes. She only uses Outlook 2011. I try to check Security Event, but there are so many ...

Domain account locked out repeatedly - ChicagoTech.net
http://www.chicagotech.net/netforums/vi ... f=1&t=6882
Jul 15, 2009 - 6 posts
shows me, that his domain user account is locked out. When I unlock ... I have the default settings for the account lockout policy, threshold of 3,

Referenced account is currently locked out - ChicagoTech.net
chicagotech.net › Board index › IT Forums › Security
Feb 4, 2016 - 2 posts - 1 author
Situation: When attempting to login a computer using domain account, you may receive this message: "The referenced account is currently ...

Solved: Locked out Account - ChicagoTech.net
www.chicagotech.net › ... › IT Forums › VPN, TS and Remote Access
Jan 11, 2007 - 9 posts - 1 author
I have SBS2003- one account get locked out after changing the password. When I force the unlock by loging in as Administrator and login out.
How to Configure and Troubleshoot Cisco
http://www.howtocisco.com

Tablet and Smartphone Setup Guide
http://www.quicksetupguide.com
blin
Site Admin
 
Posts: 3643
Joined: Wed Dec 31, 1969 7:00 pm
Location: Chicago, USA


Return to Security

Your Ad Here

Who is online

Users browsing this forum: No registered users and 1 guest