Active Directory - Finding Source Of Repeated Lockouts
-
I have an account that is being repeatedly locked out. The user recently changed their password, so I'm pretty sure there is something out there still trying to authenticate using their old credentials. I've been analyzing the Security log on both of our DCs (Server 2016), but it's not super helpful. I see Audit Failures, but these are attempts after the account has become locked. I am having a hard time finding the login event that triggers the lockout. Various articles I've read say to look for event 4740, but these don't seem to exist in the Security log on either DC. Is there some additional logon auditing I need to enable via GPO?
-
@anthonyh said in Active Directory - Finding Source Of Repeated Lockouts:
Is there some additional logon auditing I need to enable via GPO?
Yes. I can't remember what is off the top of my head. If I have time this evening, I'll look it up.
-
-
Mapped network drives? Activesync device?
You can also checkout Netwrix AD lockout examiner.
https://www.netwrix.com/account_lockout_examiner.htmlUsed it in the past and found it was usually those two.
-
@black3dynamite said in Active Directory - Finding Source Of Repeated Lockouts:
This script outputs something, but I'm not sure how to interpret it. It's, uh, odd. It shows the User Name as "S-1-5-18" and the Source Host as "[OURPDC]$"
-
@wrx7m said in Active Directory - Finding Source Of Repeated Lockouts:
Mapped network drives? Activesync device?
You can also checkout Netwrix AD lockout examiner.
https://www.netwrix.com/account_lockout_examiner.htmlUsed it in the past and found it was usually those two.
I came across that tool, but I'm hesitant to give them my email address. I get enough marketing nonsense as it is, haha.
-
@anthonyh said in Active Directory - Finding Source Of Repeated Lockouts:
@wrx7m said in Active Directory - Finding Source Of Repeated Lockouts:
Mapped network drives? Activesync device?
You can also checkout Netwrix AD lockout examiner.
https://www.netwrix.com/account_lockout_examiner.htmlUsed it in the past and found it was usually those two.
I came across that tool, but I'm hesitant to give them my email address. I get enough marketing nonsense as it is, haha.
GOOD CALL!
make a google account and use that. The tool is worth it.
-
@Dashrender said in Active Directory - Finding Source Of Repeated Lockouts:
@anthonyh said in Active Directory - Finding Source Of Repeated Lockouts:
@wrx7m said in Active Directory - Finding Source Of Repeated Lockouts:
Mapped network drives? Activesync device?
You can also checkout Netwrix AD lockout examiner.
https://www.netwrix.com/account_lockout_examiner.htmlUsed it in the past and found it was usually those two.
I came across that tool, but I'm hesitant to give them my email address. I get enough marketing nonsense as it is, haha.
GOOD CALL!
make a google account and use that. The tool is worth it.
Alright, I'll do that.
-
@anthonyh said in Active Directory - Finding Source Of Repeated Lockouts:
I have an account that is being repeatedly locked out. The user recently changed their password, so I'm pretty sure there is something out there still trying to authenticate using their old credentials. I've been analyzing the Security log on both of our DCs (Server 2016), but it's not super helpful. I see Audit Failures, but these are attempts after the account has become locked. I am having a hard time finding the login event that triggers the lockout. Various articles I've read say to look for event 4740, but these don't seem to exist in the Security log on either DC. Is there some additional logon auditing I need to enable via GPO?
Some resources for you:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
https://jackstromberg.com/2013/03/finding-the-source-to-something-that-keeps-locking-a-domain-user/
https://support.microsoft.com/en-us/help/4469275/introduction-to-the-account-lockout-and-management-tools
https://www.microsoft.com/en-us/download/details.aspx?id=15201 (LockoutStatus.EXE tool)
https://www.netwrix.com/account_lockout_examiner.html -
@anthonyh : for the next time you need a "throwaway" email account
https://temp-mail.org/en/
https://10minutemail.com/10MinuteMail/index.html -
You should have auditing enabled so you can look at the security logs to find out exactly what's going on.
-
can we get some tags added.
@scottalanmiller -
Lepide have a new Account Lockout Examiner freeware that may help you on this.
Else, get help from this article which lets you how to troubleshoot account lockout issue using LockoutStatus, EventCombMT and Netlogon.
Are you sure you enabled auditing policy?
Computer Configuration > Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management: Audit User Account Management → Define → Success and Failures.Try running on DC:
auditpol /get /category:Logon/Logoff
do you see "Account Lockout" set to Success and Failure?
Most of the time, its Active sync that i have seen locks out the user's account
Did you tried to clearing out cached credentials.
Steps to track locked out accounts and find the source of Active Directory account lockouts: https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html
-
@manxam said in Active Directory - Finding Source Of Repeated Lockouts:
@anthonyh : for the next time you need a "throwaway" email account
https://temp-mail.org/en/
https://10minutemail.com/10MinuteMail/index.htmlHeh...I actually ended up using temp-mail.org
-
@petergregg85 said in Active Directory - Finding Source Of Repeated Lockouts:
Lepide have a new Account Lockout Examiner freeware that may help you on this.
Else, get help from this article which lets you how to troubleshoot account lockout issue using LockoutStatus, EventCombMT and Netlogon.
Are you sure you enabled auditing policy?
Computer Configuration > Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management: Audit User Account Management → Define → Success and Failures.Try running on DC:
auditpol /get /category:Logon/Logoff
do you see "Account Lockout" set to Success and Failure?
Most of the time, its Active sync that i have seen locks out the user's account
Did you tried to clearing out cached credentials.
Steps to track locked out accounts and find the source of Active Directory account lockouts: https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html
Here's what I get when I run auditpol /get /category:Logon/Logoff
Should I enable any other categories for auditing?
-
@PhlipElder said in Active Directory - Finding Source Of Repeated Lockouts:
@anthonyh said in Active Directory - Finding Source Of Repeated Lockouts:
I have an account that is being repeatedly locked out. The user recently changed their password, so I'm pretty sure there is something out there still trying to authenticate using their old credentials. I've been analyzing the Security log on both of our DCs (Server 2016), but it's not super helpful. I see Audit Failures, but these are attempts after the account has become locked. I am having a hard time finding the login event that triggers the lockout. Various articles I've read say to look for event 4740, but these don't seem to exist in the Security log on either DC. Is there some additional logon auditing I need to enable via GPO?
Some resources for you:
https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad
https://jackstromberg.com/2013/03/finding-the-source-to-something-that-keeps-locking-a-domain-user/
https://support.microsoft.com/en-us/help/4469275/introduction-to-the-account-lockout-and-management-tools
https://www.microsoft.com/en-us/download/details.aspx?id=15201 (LockoutStatus.EXE tool)
https://www.netwrix.com/account_lockout_examiner.htmlFunny story, I downloaded the Account Lockout Tools from Microsoft and have been using LockoutStatus to track when this user's account became locked out. However, the Security log on either DC has been less than helpful.
I downloaded the Account Lockout Examiner from Netwrix and am going to put that on a box to test drive.
-
A quick update for y'all that are watching/participating in this thread (thank you, by the way!).
Late Friday I realized where the lockouts where coming from. We have a Windows VM that has a suite of applications that folks need to use every blue moon or so, and they access the VM via RDP. Of course, users don't log out, they just close the RDP client (I am going to fix this). The user in question had an old logon session on this VM. Killing the user's session (I just rebooted the VM) seems to have done the trick.
Now the goal is to better position myself for the next time this happens. I also figure it's probably not a bad idea to have more visibility on account lockouts and where they are coming from in general.
