Account lockouts (Network Steve Forum)

Account lockouts

We have a user that keeps getting locked out and I can;t seem to trace the source of the logins.

Using the account lockout tool I can see that the user is hitting two domain controllers, the PDC and a secondary (used for ADFS). Checking the event log on the PDC ir ports that the source of the login was from the secondary DC, checking the event log on the secondary DC I see ::1 listed as the IP address the request is coming from. This would suggest that the login request is coming directly to the secondary DC.

As this is an ADFS server servicing login requests for Office 365 SSO i wonder if the user may have a device trying to check email at regular intervals with an old password, does this sound feasible?

Or does anyone have any other ideas on what this could be?

Drac

July 10th, 2015 9:46am

From the workstation of the user you can run from the command prompt "set logonserver" to find the DC the user is authenticated to. Besides workstation is the user logged into a VPN or remote session? Email and/ or OCS-lync? Manually mapped drives? Another device where they just locked the workstation and never logged out? The script below will find the user if they're logged in using the console or remotely using terminal services by examining the explorer.exe processes on all active directory machines.
This script requires the free Quest ActiveRoles Management Shell for Active Directory snap-in: Located http://www.quest.com/powershell/activeroles-server.aspx

NOTE: Validity of script may not be ideal for your environment, exercise with caution.

##############################################################################################
##  Find out what computers a user is logged into on your domain by running the script
##  and entering in the requested logon id for the user.
##
##  This script requires the free Quest ActiveRoles Management Shell for Active Directory
##  snapin  http://www.quest.com/powershell/activeroles-server.aspx
##############################################################################################

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$ErrorActionPreference = "SilentlyContinue"

# Retrieve Username to search for, error checks to make sure the username
# is not blank and that it exists in Active Directory

Function Get-Username {
$Global:Username = Read-Host "Enter username you want to search for"
if ($Username -eq $null){
	Write-Host "Username cannot be blank, please re-enter username!!!!!"
	Get-Username}
$UserCheck = Get-QADUser -SamAccountName $Username
if ($UserCheck -eq $null){
	Write-Host "Invalid username, please verify this is the logon id for the account"
	Get-Username}
}

get-username

$computers = Get-QADComputer | where {$_.accountisdisabled -eq $false}
foreach ($comp in $computers)
	{
	$Computer = $comp.Name
	$ping = new-object System.Net.NetworkInformation.Ping
  	$Reply = $null
  	$Reply = $ping.send($Computer)
  	if($Reply.status -like 'Success'){
		#Get explorer.exe processes
		$proc = gwmi win32_process -computer $Computer -Filter "Name = 'explorer.exe'"
		#Search collection of processes for username
		ForEach ($p in $proc) {
	    	$temp = ($p.GetOwner()).User
	  		if ($temp -eq $Username){
			write-host "$Username is logged on $Computer"
		}}}}

Edited by Jedi_Administrator 15 hours 4 minutes ago

Free Windows Admin Tool Kit Click here and download it now

July 10th, 2015 11:59am

Check the netlogon logs on source DC to find the affected system IP, to enable netlogon logging

https://support.microsoft.com/en-us/kb/109626

To find the source DC and system

http://www.windowstricks.in/2009/07/account-lockout.html

July 10th, 2015 3:10pm

NOTE: Validity of script may not be ideal for your environment, exercise with caution.

##############################################################################################
##  Find out what computers a user is logged into on your domain by running the script
##  and entering in the requested logon id for the user.
##
##  This script requires the free Quest ActiveRoles Management Shell for Active Directory
##  snapin  http://www.quest.com/powershell/activeroles-server.aspx
##############################################################################################

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$ErrorActionPreference = "SilentlyContinue"

# Retrieve Username to search for, error checks to make sure the username
# is not blank and that it exists in Active Directory

Function Get-Username {
$Global:Username = Read-Host "Enter username you want to search for"
if ($Username -eq $null){
	Write-Host "Username cannot be blank, please re-enter username!!!!!"
	Get-Username}
$UserCheck = Get-QADUser -SamAccountName $Username
if ($UserCheck -eq $null){
	Write-Host "Invalid username, please verify this is the logon id for the account"
	Get-Username}
}

get-username

$computers = Get-QADComputer | where {$_.accountisdisabled -eq $false}
foreach ($comp in $computers)
	{
	$Computer = $comp.Name
	$ping = new-object System.Net.NetworkInformation.Ping
  	$Reply = $null
  	$Reply = $ping.send($Computer)
  	if($Reply.status -like 'Success'){
		#Get explorer.exe processes
		$proc = gwmi win32_process -computer $Computer -Filter "Name = 'explorer.exe'"
		#Search collection of processes for username
		ForEach ($p in $proc) {
	    	$temp = ($p.GetOwner()).User
	  		if ($temp -eq $Username){
			write-host "$Username is logged on $Computer"
		}}}}

Edited by Jedi_Administrator Friday, July 10, 2015 3:55 PM

Free Windows Admin Tool Kit Click here and download it now

July 10th, 2015 3:53pm

NOTE: Validity of script may not be ideal for your environment, exercise with caution.

##############################################################################################
##  Find out what computers a user is logged into on your domain by running the script
##  and entering in the requested logon id for the user.
##
##  This script requires the free Quest ActiveRoles Management Shell for Active Directory
##  snapin  http://www.quest.com/powershell/activeroles-server.aspx
##############################################################################################

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$ErrorActionPreference = "SilentlyContinue"

# Retrieve Username to search for, error checks to make sure the username
# is not blank and that it exists in Active Directory

Function Get-Username {
$Global:Username = Read-Host "Enter username you want to search for"
if ($Username -eq $null){
	Write-Host "Username cannot be blank, please re-enter username!!!!!"
	Get-Username}
$UserCheck = Get-QADUser -SamAccountName $Username
if ($UserCheck -eq $null){
	Write-Host "Invalid username, please verify this is the logon id for the account"
	Get-Username}
}

get-username

$computers = Get-QADComputer | where {$_.accountisdisabled -eq $false}
foreach ($comp in $computers)
	{
	$Computer = $comp.Name
	$ping = new-object System.Net.NetworkInformation.Ping
  	$Reply = $null
  	$Reply = $ping.send($Computer)
  	if($Reply.status -like 'Success'){
		#Get explorer.exe processes
		$proc = gwmi win32_process -computer $Computer -Filter "Name = 'explorer.exe'"
		#Search collection of processes for username
		ForEach ($p in $proc) {
	    	$temp = ($p.GetOwner()).User
	  		if ($temp -eq $Username){
			write-host "$Username is logged on $Computer"
		}}}}

Edited by Jedi_Administrator Friday, July 10, 2015 3:55 PM

July 10th, 2015 3:53pm

Hi,

Next time when users accounts get locked do not unlocked the account and from PDC server run the utility EventCombMT.exe which is a multi-threaded tool that will parse event logs from many servers at the same time. This will Track down account lockouts

In above tool you can in built-in search for account lockout if you are using windows 2008 and above make sure you add the below event id added in search criteria. This will track the IP address of client machine from where account is getting locked.

Event ID 539 : Logon Failure: Account locked out
Event ID 644 : User account Locked out

Event ID 4740: A user account was locked out.(Windows 2008 & Windows 7)

The common cause for account lockouts are also described in this section.

Programs:

Bad Password Threshold is set too low:

User logging on to multiple computers:

Stored user names and passwords retain redundant credentials:

Scheduled tasks:

Persistent drive mappings:

Active Directory replication:

Disconnected Terminal Server sessions:

Free Windows Admin Tool Kit Click here and download it now

July 11th, 2015 2:52am

It looks like the logon attempt is coming from ADFS. As this is for Office 365, I believe that this is a mail client which is trying to connect regulary. Here, it is usually difficult to identify the exact source but it is probably a workstation or a mobile device - You need to identify these devices and check the mail clients configured on them.

It might be also someone who is playing around and would like to cause the lockouts. In fact, you should be aware about account lockout attacks and the fact that some attackers can take benefit of account lockout policies to create disruptions.

As for the log collection, it is usually a difficult task to collect them manually through reading Event Viewer logs so you might be thinking about having a third party software which makes it easier to do. My favorite is Lepide Auditor - Active Directory (You can ask them for an evaluation period): http://www.lepide.com/lepideauditor/active-directory.html

July 12th, 2015 9:56pm

Hello,

Hope your query resolved now. if yes can you mark proposed as Answer so that others can refer it.

Free Windows Admin Tool Kit Click here and download it now

July 18th, 2015 9:00am

This topic is archived. No further replies will be accepted.