Friday, September 18, 2020

Troubleshooting Account Lockouts in Active Directory

In this post we will look into troubleshooting Account Lockouts in Active Directory. From my experience identifying the source of an Account Lockout can often be easy, or extremely difficult.

When an authentication attempt hits a domain controller that is incorrect, a second authentication attempt will always hit the Primary Domain Controller (PDC). This is due to Active Directory replication intervals, if you reset a users password, it may take a few hours for the password change to propagate across the network based on how you have configured your Inter-Site Transport links in AD Sites and Services. The Primary Domain Controller (PDC) always has the latest list of passwords (one of the many things the PDC emulator role performs).

The easiest way to troubleshoot Account Lockouts is simply login to the Primary Domain Controller and review the security log, as this will have a list of all account lockouts that have occured across all domain controllers. The EventID that represents an account lockout is EventID 4740.

The screenshot below shows a typical Account Lockout event on the PDC.  It will display the account name that was locked out, and the computer in which the account was locked out on.

However this is where it can get more complicated.  If the lockout came from a system not in Active Directory, the "Caller Computer Name" value will always be blank.  This can include numerous scenarios such as:

  • Mobile Devices (Android / IOS) that are authenticating against an Exchange Server through Active Sync.
  • Proxy Servers
  • Java Applications
  • UNIX/Linux Systems
  • Other non-domain joined computer objects.
For these events we cannot simply only look at the PDC Emulator role, we need to look at where the "Bad Pwd Count" is incrementing the the "Last Bad Pwd" timestamp across all domain controllers in the Active Directory Domain.  Microsoft has a tool called lockoutstatus.exe that allows us to easily the domain controller which the lockout occurred so we can review the security logs on the domain controller in question.

Download this tool from here:

If you want to see it utilised, refer to this post:

The EventID Security logs you want to filter are as follows:

  • Event ID 4625 - An account failed to log on
  • Event ID 4776 - The computer attempted to validate the credentials for an account.
  • Event ID 4771 - Kerberos pre-authentication failed
Note: The Event ID's for Windows Server 2000/2003 are different but I assume your not running this anymore!

These Events ID's will reveal the source IP address the authentication attempt failed from.

For many companies still running on-premises Exchange, Mobile Devices on Active Sync are a common cause for account lockouts.  If you have confirmed using the EventID's above that the account lockout is coming from your Exchange Server, you can utilise the IIS Logs to identify the device and external IP address that caused the lockout.  You need to check the IIS Logs on the Exchange Server for a HTTP 401 "Unauthorized" error for the user in question.  IIS Logs can easily be imported into Excel for easy formatting/review.  Also check out the following blog post that has a Logparser.exe query that lets you quickly search IIS Logs for the account lockout.

In addition to the HTTP 401 "Unauthorized" error, the Exchange IIS Logs also can provide additional information in the Sc-Win32-status code:

  • 1326 - The user name or password is incorrect.
  • 1330 - The password for this account has expired.
  • 1331 - This user can't sign in because this account is currently disabled.
  • 1909 - The referenced account is currently locked out and may not be logged on to.
Note: I have seen an account lockout event at a customer site where 4771 Event ID's were logged pointing at the Exchange Server, however I could not see the user account in the IIS Logs with the 401. 

More Reading / References:

I also recommend reading the following article "The Low Down on Password Policies".

Hopefully this post has been informative for you in troubleshooting Account Lockouts.