Sunday, February 16, 2014

Why AD User account locked out

Why My Account is locked out frequently???
This is one of the most common questions, users are complaining that their account is being locked and they even did not type their password.
Today I will talk about this problem and how can you fix it, I saw a lot of blogs and software that report from where the account is locked, but in some cases you need to know more.

The First Question is: From where this account is being locked out ??
There are several software (Some are free and other paid) that can tell you from which computer or device this account get locked.
One of the simplest way and its free is to search in DC Security Eventlog for the following
Event ID: 4740
Event source: Microsoft Windows security auditing
In this log what you will see is this

Notice that the Caller Computer Name is the computer or device that cause the account to be locked, In my case its Win7x86.
Now we have the computer name, but where in this computer you should search, there are several places that could have the old or wrong password saved.!!, it could be :
  1. Map Drive
  2. Schedule Task
  3. Windows Service
  4. Saved credential in user Credential Manager in Control panel
  5. Password for Mail account that is stored on user Mobile device 
  6. and several other location.
To save some time there is a good tool (Free Trail) (Account Lockout Examiner)  for querying the computer name that causing the account lock and also perform some basic check on the target machine to analyze what may cause the lock out "schedule task, MAP Drive, Windows Services...".

This seem to be good, but not always give you the right answer
Sometime its something else, not Windows Service or schedule task or any of the built in fixes. so what should you do..
In this case you will need to monitor Failed Audit for:
- Audit process tracking. ( not required but it will give you more information)
- Audit logon events.
Run Gpedit.msc on the local computer and navigate to:
Windows Settings \ Security Settings \ Local Policies \ Audit Policy

And from there you will double click on  Audit logon events and put a check Success , Failure
Set back and relax, and wait for the next lockout and once it happens review Client Machine Audit log and check the failed Log you will see something like this

As you can see and in my case the process that is using the old password is Sharepoint Search component (mssdmn.exe). so simply update the password to a new password from sharepoint site.

This is the best way to get put your finger on the main problem. I hope you like this


Anonymous said...

I really like what you guys are up too. This type of clever work
and exposure! Keep up the very good works guys I've you guys to

Anonymous said...

Appreciating the persistence you put into your website and in depth information you offer.

It's awesome to come across a blog every once in a
while that isn't the same unwanted rehashed information. Fantastic read!
I've bookmarked your site and I'm including your
RSS feeds to my Google account.