Account lockout
Account lockout is the most common issue in windows environment, I will discuss about the frequent account lock out issues and how to troubleshoot frequent account lockout issue
In a windows 2000/2003 domain environment if the password and account lockout policy enabled, then according to the lock out policy if the user wrongly type the password for more then 3 or 5 times, account will be lockout
It should be unlocked automatically another 30 min (depending on account lockout policy) for the frequent account lockout issue, follow the below account lockout troubleshoot steps
Also Read: Account lockout caller computer name blank, CISCO, workstation and domain controller
Syntex:
dsquery user –name username
Example:
dsquery user -name testuser
“CN=testuser,OU=Test,DC=test,DC=com”
Login to any one of Domain controller and using replmon utility and using the Full CN name, find the B server which has finally authenticated the Lockout of the User Account.
In replmon right click the server and select the “Show attribute meta-data for active directory object” copy the DN of the user then click OK
Or
Login to any one of Domain controller and use the below command to find the “lockout time” attribute change
Syntex:
Repadmin /showmeta “user DN”
Example:
Repadmin /showmeta “CN=testuser,OU=Test,DC=test,DC=com”
This will show the Meta data of the users, you can find the “lockout time” attribute change, from which Domain controller this attribute is changed, note the Domain controller name.
Or use the below command with find
Repadmin /showmeta “CN=testuser,OU=Test,DC=test,DC=com” | find /i “lockout time”
Also Read: Active directory user attributes auditing using object Meta
Login to the Domain controller and use the dumpel command to extract the latest events, or check event viewer manually on the DC
Dumpel -f c:lockoutevents.txt -s test001 -l security -m security -e 6
44 642 529 539
Dump successfully completed.
Note: check for event ID 4740 for Windows server 2008 and later operating system
Check the lockoutevents.txt file for the affected user; you will be able to find the account lockout event, you able to find the system from which the account has been lockout
Causes:
• Check if your user ID is being used to start/stop some services on affected system
• Check your user ID is being logging on to multiple computers
• Check any application using your old password on affected system
• Check Any Persistent drive mappings using your old password
• Check for TS session with old password
You can also use Microsoft ALTools to troubleshoot account lockouts
Hi,
Thanks for sharing your suggestions.
By the way, recently one of my Microsoft colleagures informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports including which accounts are locked out, where all a user may have permissions etc.
So, there’s no more need to write any scripts and all to find the DN of locked accounts. You can just use this tool and it will automatically show you the DN of all locked accounts!
The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from http://www.paramountdefenses.com/goldfinger.php
If you’re into Active Directory security, then this tool is a must-have. Best of all its FREE, SUPPORTED and ENDORSED by Microsoft!
Thought I’d share this helpful tip with you!
Sincerely,
JohnM
Hi Ganesh,
How are you? I came across your post while looking for free Active directory reporting tools on Account Lockout and True Last Logon.
Ganesh, I run a blog on a Free Active Directory Reporting Tools and if you know of any free True LAst Logon based tools, could you please let me know, so I could post it on my blog and share it with the entire community.
Thanks, and look forward to hearing from you soon.
Bye,
Marc
Hi,
Nice article, and I am aware of Microsoft lockstatus.exe and other tools, but hearing first time these commands to query active directory..
Here is a free tool called lockout fixer which lets users to quickly find where the account lock outs are coming from
Thanks,
Shanmugam
I’m looking for a third-party tool to identify and resolve all account lockouts. The only one I’ve evaluated so far is NetWrix Account Lockout Examiner, which is so far, so good—it identifies user lockouts, troubleshoots the issue and resolves the issue. Anyone have any other good recommendations that I can compare?
Very nice article….thanks for sharing it