How To Troubleshoot Account Lockout Scenarios
One of the most challenging tasks for a Systems Administrator is discovering where and when a user account is locking. The complexity increases exponentially with the type of environment faced by the S_ysadmin_, being much more complex if the environment is highly distributed not only geographically but in terms of services.
As an account lock completely stops user activity disconnecting him from the rest of the company, determining as soon as possible where and how the account is locking is undoubtedly an important added value. This has particular impact on companies where mail communication is vital and necessary for geographical distribution reasons .
A recurrent account lockout situation indicates a wrong recurring validation situation, not by the user, but for some other reason (scheduled tasks, smartphones, tablets, wrong cached credentials, etc..).. To determine problem’s source, a thorough search exercise is needed and for this Microsoft offers tools such as LockOutStatus displaying information about the locked account, obtaining this information from Active-Directory.
LockOutStatus is useful to determine the source domain controller where account is being locked so you know where you can start reviewing security events. The event viewer is as our second partner in the arduous task of determining what is locking our user. Here Microsoft also provides tools to avoid wasting time reviewing the entire security logs of our domain controllers. EventCombMT allows you to collect events (even from different sources) and combine them to determine lockout’s source.
These and other tools that Microsoft provides can be really helpful. Just simply follow the guidelines below to troubleshoot a lockout situations in your environment:
- Start by determining the domain controller where the account is being locked using LockOutStatus tool. Base your research on Pwd Last Set column which displays the value of the last good password or when the computer was last unlocked
- Check security events log on the given domain controller to determine the source where the account is being locked by using EventCombMT, searching events 529, 644, 675, 676, and 681.
- Check Netlogon log to check why the account has been locked by using FindStr and NLParse tools to get the status codes.
- Log authentication failures on the source workstation to determine which application or service is locking the account by using ALockout.dll logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario.
All these tools are available for downloading for free and are compatible with NT 4 to 2003 server family products (I haven’t tested them on Windows Server 2008 and R2 families). They can be downloaded on the following link:
Account Lockout and Management Tools
More information on how to use these tools can be found on the following link as well: