Where has that account been locked out?

Posted by beakersoft | Posted in Microsoft | Posted on 07-02-2008

8


Account Lockout Header

Anyone who has ever worked in a IT helpdesk environment will know that probably 50% + of calls are related in some way or another to the user getting there password wrong, and locking out there account. No mater how much you educate the users, this will always happen, especially if you enforce a complex password policy (and i hope you do!)

I have seen on the odd occasion where thre is something more at work. The user could be happily logging on in the morning, working for a bit when suddenly there account is getting locked out, and as far as you (and they) can tell everything should be fine. You can unlock the account, they carry on working for a bit but then it happens again. There are a few things it could be:

  • Someone is trying to use that users account, doesn’t know there password and so keeps locking it. This could be malicious or another reason
  • The user has logged onto another machine, and not logged off. Then, if the user has changed their password while the other machine is logged in, it could be requesting resources using the old (and now incorrect) password. Every time it tries to get a network resource that requires authentication it will cause a bad password attempt
  • Similar to the above, but the user is logged into a terminal server session an not logged out. For none console sessions on terminal servers users have access to, its always a good idea to enforce an automatic log off after a period of inactivity
  • The user could have a connection to a network resource (such as a mapped drive) , that is using old credentials. Personally i’ve never seen this on XP, but it did see it on Win95/98

So, we know what can go wrong, but how the hell do we find out what machine the account lockout is occurring on?

For a start there are a couple of tools available from Microsoft, probably the most useful one is LockOutStatus.exe. This app lets you put a user name in, and will show you all the domain controllers in your active directory domain.

Against each DC, it tells you the lockout status of the account, the Site the DC is in, the bad password count, the lockout time etc. This information might be useful in tracking down the site where the lock is originating.

Locoutstatus Screen

However, it still doesn’t narrow you down to a specific machine where the lock is coming from. In order to find that out you are going to have to use the Security Event logs on the domain controllers.

Turning on Failed Login Attempts Event Logging

The first thing you need to do is alter your domain policy to make sure you are logging failed login attempts into the security event log. You can do this at the local server level but by far the easiest way is to edit you default domain policy. Find your default domain policy, and edit it. You need to make sure the following settings under the computer config are turned on:

Policy settings

Once you have set these, give it half an hour or so to replicate round your domain, and you DC’s should start logging the account logon events. If you look in the security log, you should be able to see events like this:

Example Event

Now, some of these events (such as event ID 680) will contain a section containing the work station. Now we are getting somewhere. The event that shows you a lockout will look something like this:

Feb 7 12:15:19 DC-SVR1.Dom MSWinEventLog<009>1<009>Security<009>4523690<009>Thu Feb 07 12:15:19 2008<009>681<009>Security<009>SYSTEM<009>User<009>Failure Audit<009>DC-SVR1.Dom<009>Account Logon<009><009>The logon to account: joe.bloggs by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: USER-WRK1 failed. The error code was: 3221225578 <009>4518607

There are various events like this one. Here it is telling you that the user Joe.Bloggs failed to login from the machine USER-WRK1.
This is giving you some information, but its not telling you where the INITIAL lock out occurred. For this you need to find the events with the ID of 644. This should give you information of the initial account lockout, and look something like this:

Feb 7 14:01:48 DC-SVR1.Dom MSWinEventLog<009>2<009>Security<009>2574908<009>Thu Feb 07 14:01:45 2008<009>644<009>Security<009>Everyone<009>Well Known Group<009>Success Audit<009>DC-SVR1<009>Account Management<009><009>User Account Locked Out: Target Account Name: Joe.Bloggs Target Account ID: %{S-1-1-00-1111111111-2222222222-333333333-4567} Caller Machine Name: USER-WRK2 Caller User Name: DC-SVR1 Caller Domain: DOM Caller Logon ID: (0x0,0x000) <009>2574304

This event now tell you the username, the machine it was locked out on and the DC that created the lockout.

Querying the Events

The problem you are going to have now, is finding the entry’s in the security log. There will probably be 1000’s of access requests against all your Domain controller’s in a single day, so finding the particular entry that you want can be a bit of a nightmare.

In a couple of articles in the past I have written about the use of a syslog server, this is another area where it can be useful. Using a syslog server and agents (such as snare) on the domain controller’s, you can send all the events from each server into one central place.

One of the best syslog servers to use is the Kiwi syslog daemon available at kiwisyslog.com. Even though it is freeware, it is a very powerful tool, it allows you to send the data you have collected to various sources (text files, database etc) , setup housekeeping on your data etc. A full feature list can be found at on there website here.

Once of the easiest ways to search your security event logs is to get the Kiwi syslog to insert the information into an ODBC database such as MySql. Using the Kiwi syslog, you can specify specific data to go to a specific place using rules and filters.

Create yourself an ODBC connection to a database where you want the data to live, then go into the syslog setup and create yourself a new rule called something like ‘account lockouts’. Add a filter to this rule, on the message text that contains:

“3221225578” or “3221225578” or “3221225586” or “3221226036” or “Account locked out”

Filter

This should catch any of the account lockout events. You then need to create a new action to add the data the database. Just fill in the details similar to the following screen shot:

Database Insert

Note: you might want to purge down the data in the table every couple of months or so or it could get very large and hard to work with.

Now, all your account lockout events will be getting added to this table. You can then write custom queries/reports to get the information out of this database, and finally find where that account lock out is occurring!

Comments (8)

[…] Tracing active directory account lockout Article on how to find the PC that is locking a users account in an active directory environment Submitted: 1 minute ago Category: Technology Submitter: RssFeed Website: http://www.beakersoft.co.uk Report this link: Click here to report Comments: 0 […]

Excellent One. Very much helpfull, More things like this are expected and appreciated

Thanks

[…] We have also used an in house tool that logs all the account lock outs into a database to track down the actual machines that are locking users out, this has been the most pro-active way of finding infected machines. You can read more about the system we use in a previous post here […]

Hi! I was surfing and found your blog post… nice! I love your blog. :) Cheers! Sandra. R.

uugggghhh arrrgggghhh those are my thoughts about dealing with customers forgetting their passwords….. LOL – It is especially annoying when you get someone that is a lot older and they literally don’t even speak your language, they could be either trying to turn the computer on or type in their password and you wouldn’t be able to tell the difference. I have told a few clients that they seriously need to have their grand kids over to show them the ropes because they don’t know enough to even get things moving.

My problem is that whenever user xyz logs in, he causes user abc’s account to become locked out!

If user xyz logs in on a different machine, abc is ok.

So, apparently, it’s something on his original machine. I have un-joined, rejoined the domain, same error.

Thinking about exporting his data, renaming his profile, then logging in again to create a fresh profile and reimport his data.

But would like your opinion please?

RL

@Ray, you have probably got a stale connection in the users profile somewhere, remove all the mapped drives, and do a net use at the command prompt to see if there is anything else still connected, if there is remove that as well.

Blowing the users profile away will probably fix it as well, but that’s probably a last resort

Here is some PowerShell that may help with this. I had a student in my PowerShell class with a similar situation. He needed to know where the lockout was happening.

http://mctexpert.blogspot.com/2012/08/where-did-users-account-get-locked-out.html

Write a comment

Comments links could be nofollow free.