Sign in with
Sign up | Sign in
Your question

Account Lockout

Last response: in Windows 2000/NT
Share
Anonymous
November 30, 2004 3:17:02 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Is there a utility that can be used to determine where a particular account
is getting locked out from. I have a user's account that is getting locked
out periodically. Most likely it's due to some service attempting to log in
under that users' account. The account has been getting locked out from time
to time since his last password change.

I don't want to have to search the security event logs from all the
computers and servers on our network. Is there an easier way?

TIA,
Ken

More about : account lockout

Anonymous
November 30, 2004 5:49:39 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

If you think it is an issue where there is a repeated failed logon, you can
see this if you turn on auditing of domain logons. In general, you should
have this on for both Failure and Success as it will alert you to a number
of potential problems/ threats.

Do this via a GPO and watch for failed logon attempts. Other than that, you
can go into more detailed auditing looking for changes to accounts, but this
will probably be unnecessary if you think this is just due to failed
attempts.

--
Ryan Hanisco
MCSE, MCDBA
Flagship Integration Services

"kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
news:141C30B6-8375-4D7E-B0A9-60A23A961839@microsoft.com...
> Is there a utility that can be used to determine where a particular
account
> is getting locked out from. I have a user's account that is getting locked
> out periodically. Most likely it's due to some service attempting to log
in
> under that users' account. The account has been getting locked out from
time
> to time since his last password change.
>
> I don't want to have to search the security event logs from all the
> computers and servers on our network. Is there an easier way?
>
> TIA,
> Ken
Anonymous
November 30, 2004 5:49:40 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have the auditing turned on. I was hoping there was a utility that could
prevent me from having to go to the 40+ servers and 70+ workstations
individually to look for the failed login attempts.

"Ryan Hanisco" wrote:

> If you think it is an issue where there is a repeated failed logon, you can
> see this if you turn on auditing of domain logons. In general, you should
> have this on for both Failure and Success as it will alert you to a number
> of potential problems/ threats.
>
> Do this via a GPO and watch for failed logon attempts. Other than that, you
> can go into more detailed auditing looking for changes to accounts, but this
> will probably be unnecessary if you think this is just due to failed
> attempts.
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
> news:141C30B6-8375-4D7E-B0A9-60A23A961839@microsoft.com...
> > Is there a utility that can be used to determine where a particular
> account
> > is getting locked out from. I have a user's account that is getting locked
> > out periodically. Most likely it's due to some service attempting to log
> in
> > under that users' account. The account has been getting locked out from
> time
> > to time since his last password change.
> >
> > I don't want to have to search the security event logs from all the
> > computers and servers on our network. Is there an easier way?
> >
> > TIA,
> > Ken
>
>
>
Related resources
Anonymous
December 1, 2004 1:27:13 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

There's a free MS utility re. lockouts.
--
http://www.microsoft.com/downloads/details.aspx?FamilyI...

I've not got round to playing with it yet, so can't tell you if it's exactly
what you want or not.

--

Paul Williams

http://www.msresource.net
http://forums.msresource.net


"kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
news:298F239E-9444-4852-9A69-4ADDAC9181FB@microsoft.com...
I have the auditing turned on. I was hoping there was a utility that could
prevent me from having to go to the 40+ servers and 70+ workstations
individually to look for the failed login attempts.

"Ryan Hanisco" wrote:

> If you think it is an issue where there is a repeated failed logon, you
> can
> see this if you turn on auditing of domain logons. In general, you
> should
> have this on for both Failure and Success as it will alert you to a number
> of potential problems/ threats.
>
> Do this via a GPO and watch for failed logon attempts. Other than that,
> you
> can go into more detailed auditing looking for changes to accounts, but
> this
> will probably be unnecessary if you think this is just due to failed
> attempts.
>
> --
> Ryan Hanisco
> MCSE, MCDBA
> Flagship Integration Services
>
> "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
> news:141C30B6-8375-4D7E-B0A9-60A23A961839@microsoft.com...
> > Is there a utility that can be used to determine where a particular
> account
> > is getting locked out from. I have a user's account that is getting
> > locked
> > out periodically. Most likely it's due to some service attempting to log
> in
> > under that users' account. The account has been getting locked out from
> time
> > to time since his last password change.
> >
> > I don't want to have to search the security event logs from all the
> > computers and servers on our network. Is there an easier way?
> >
> > TIA,
> > Ken
>
>
>
Anonymous
December 1, 2004 4:54:55 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi

The tool that Paul points to is useful. I find it more useful in context
with some other tools:

http://www.microsoft.com/downloads/details.aspx?FamilyI...

Also review:

http://www.microsoft.com/technet/prodtechnol/windowsser...

What I generally do to troubleshoot these problems is:

1. Use lockoutstatus to determine which DC's the bad password attempts are
registering again.

2. Enable auditing (as per the document above) and look for lockout events.

3. From the lockout events, determine which clients they originate from.

4. Look at the frequency of events to determine if it's a user issue or
process driven.

5. If user related, educate user.

6. If process related, implement Alockout.dll to find the offending process.

Kind regards
--
Mark Renoden [MSFT]
Windows Platform Support Team
Email: markreno@online.microsoft.com

Please note you'll need to strip ".online" from my email address to email
me; I'll post a response back to the group.

This posting is provided "AS IS" with no warranties, and confers no rights.

"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:ex1rBvy1EHA.1192@tk2msftngp13.phx.gbl...
> There's a free MS utility re. lockouts.
> --
> http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> I've not got round to playing with it yet, so can't tell you if it's
> exactly
> what you want or not.
>
> --
>
> Paul Williams
>
> http://www.msresource.net
> http://forums.msresource.net
>
>
> "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
> news:298F239E-9444-4852-9A69-4ADDAC9181FB@microsoft.com...
> I have the auditing turned on. I was hoping there was a utility that could
> prevent me from having to go to the 40+ servers and 70+ workstations
> individually to look for the failed login attempts.
>
> "Ryan Hanisco" wrote:
>
>> If you think it is an issue where there is a repeated failed logon, you
>> can
>> see this if you turn on auditing of domain logons. In general, you
>> should
>> have this on for both Failure and Success as it will alert you to a
>> number
>> of potential problems/ threats.
>>
>> Do this via a GPO and watch for failed logon attempts. Other than that,
>> you
>> can go into more detailed auditing looking for changes to accounts, but
>> this
>> will probably be unnecessary if you think this is just due to failed
>> attempts.
>>
>> --
>> Ryan Hanisco
>> MCSE, MCDBA
>> Flagship Integration Services
>>
>> "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
>> news:141C30B6-8375-4D7E-B0A9-60A23A961839@microsoft.com...
>> > Is there a utility that can be used to determine where a particular
>> account
>> > is getting locked out from. I have a user's account that is getting
>> > locked
>> > out periodically. Most likely it's due to some service attempting to
>> > log
>> in
>> > under that users' account. The account has been getting locked out from
>> time
>> > to time since his last password change.
>> >
>> > I don't want to have to search the security event logs from all the
>> > computers and servers on our network. Is there an easier way?
>> >
>> > TIA,
>> > Ken
>>
>>
>>
>
>
Anonymous
December 1, 2004 4:54:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi,

The tools referenced may be better, but I have used a script to find all
locked out users and for each show the DC that locked them out, when the
last bad password was attempted, and how many bad password attempts were
made on the DC. The program is linked here:

http://www.rlmueller.net/LockedUsers.htm

As noted, the output just flags the problems.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--

"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:ueYitE11EHA.1400@TK2MSFTNGP11.phx.gbl...
> Hi
>
> The tool that Paul points to is useful. I find it more useful in context
> with some other tools:
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyI...
>
> Also review:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsser...
>
> What I generally do to troubleshoot these problems is:
>
> 1. Use lockoutstatus to determine which DC's the bad password attempts are
> registering again.
>
> 2. Enable auditing (as per the document above) and look for lockout
events.
>
> 3. From the lockout events, determine which clients they originate from.
>
> 4. Look at the frequency of events to determine if it's a user issue or
> process driven.
>
> 5. If user related, educate user.
>
> 6. If process related, implement Alockout.dll to find the offending
process.
>
> Kind regards
> --
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "ptwilliams" <ptw2001@hotmail.com> wrote in message
> news:ex1rBvy1EHA.1192@tk2msftngp13.phx.gbl...
> > There's a free MS utility re. lockouts.
> > --
> >
http://www.microsoft.com/downloads/details.aspx?FamilyI...
> >
> > I've not got round to playing with it yet, so can't tell you if it's
> > exactly
> > what you want or not.
> >
> > --
> >
> > Paul Williams
> >
> > http://www.msresource.net
> > http://forums.msresource.net
> >
> >
> > "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
> > news:298F239E-9444-4852-9A69-4ADDAC9181FB@microsoft.com...
> > I have the auditing turned on. I was hoping there was a utility that
could
> > prevent me from having to go to the 40+ servers and 70+ workstations
> > individually to look for the failed login attempts.
> >
> > "Ryan Hanisco" wrote:
> >
> >> If you think it is an issue where there is a repeated failed logon, you
> >> can
> >> see this if you turn on auditing of domain logons. In general, you
> >> should
> >> have this on for both Failure and Success as it will alert you to a
> >> number
> >> of potential problems/ threats.
> >>
> >> Do this via a GPO and watch for failed logon attempts. Other than
that,
> >> you
> >> can go into more detailed auditing looking for changes to accounts, but
> >> this
> >> will probably be unnecessary if you think this is just due to failed
> >> attempts.
> >>
> >> --
> >> Ryan Hanisco
> >> MCSE, MCDBA
> >> Flagship Integration Services
> >>
> >> "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
> >> news:141C30B6-8375-4D7E-B0A9-60A23A961839@microsoft.com...
> >> > Is there a utility that can be used to determine where a particular
> >> account
> >> > is getting locked out from. I have a user's account that is getting
> >> > locked
> >> > out periodically. Most likely it's due to some service attempting to
> >> > log
> >> in
> >> > under that users' account. The account has been getting locked out
from
> >> time
> >> > to time since his last password change.
> >> >
> >> > I don't want to have to search the security event logs from all the
> >> > computers and servers on our network. Is there an easier way?
> >> >
> >> > TIA,
> >> > Ken
> >>
> >>
> >>
> >
> >
>
>
!