Monday, August 6, 2018

Troubleshooting Account Lockout's

I often get asked by customers for assistance with troubleshooting account lockout issues, where a user constantly gets locked out but IT doesn't know how they are getting locked out or what device they are being locked out from.

Diagnosing account lockout issues can be a difficult task as you need to look at the audit logs on the domain controller for which the user attempted the failed authentication request.  For companies without audit collection software (software which pulls audit logs from multiple servers in a central place) this can be a difficult task.  There are many enterprise auditing products on the market such as Snare, Splunk, Tripwire, ManageEngine or even Microsoft ACS which is part of System Centre Operations Manager.

For companies without an enterprise auditing product, Microsoft has made a simple tool called Account Lockout Status (LockoutStatus.exe) which is free which just looks at invalid password attempts.  This tool queries the audit logs on all domain controllers.  This tool can be downloaded from the following location:

If we look on Bentley-DC Security Logs we can see the unsuccessful login occurred from AT-LT-03.

Hope this post has been helpful.

No comments:

Post a Comment