Tracking Account Lockouts

In any size of network which is based on Active Directory you have experienced the account lock out problem. You simply ask yourself why it is locked? I am more than a hundred percent sure that I am entering my password in a correct form but why it becomes locked again and again? The answer might be a bit general: “It depends on many reasons”. Although entering the password in the wrong form turns out to be the first reason of account locked out problems, there are plenty of reasons behind this incidence. I am going to cover how you can find out the source of problem with a simple GPO and then your enterprise will be problem free. 

In any size of network which is based on Active Directory you have experienced the account lock out problem. You simply ask yourself why it is locked? I am more than a hundred percent sure that I am entering my password in a correct form but why it becomes locked again and again? The answer might be a bit general: “It depends on many reasons”. Although entering the password in the wrong form turns out to be the first reason of account locked out problems, there are plenty of reasons behind this incidence. I am going to cover how you can find out the source of problem with a simple GPO and then your enterprise will be problem free. 

According to Microsoft™ there are quite more than one reason for this:

  • Enter your password incorrectly. (Note: not only for interactive logons but also when you are accessing a share)
  • Some services are configured incorrectly with the wrong credential, to put it another way they (The Services) try to start themselves with incorrectly configured credentials.
  • Map Network Drives. It sounds a bit weird but YES! If you have a mapped network drive on your PC you may have to take a look at the credentials again to make sure they are correctly configured.
  • In windows 7 and above there is a feature called “Credential Manager” which holds all the credentials required for accessing a share, mapped network drive and so on. It is another location which you have to verify the credentials.
  • Conficker Worm.

Firstly I am going to cover the steps you have to do in order to find the source of problems. Actually it is not that much difficult that it may appears at first. You have to create a GPO on in your environment and link it to the whole domain. Let’s Start!

  1. Open Group Policy Management Console on your DC. For ease of access just type gpmc.msc  in run and punch Ok button.

 

  • Right click the Group Policy Objects node and click New.

  •  

     

  • Type a favorite name for your policy. I personally name all my GPO’s completely clear. So when I am just navigating through Group Policy Console I can find what is the role of a policy according to their names. Let’s call it: “Track_Account_Lockout_Problems”
  •  

     

  • Time for configuring the main part. Navigate to “Local Policies” according to the picture below.

  •  

     

  • In this section there are two policies which you have to configure in order to track account lockout problems. You have to define them both to log “Failure” attempts.

  •  

     

     

  • Now close the GPO which you’ve just created. Link the newly created GPO (Track_Account_Lockout_Problem) to the domain.
  •  

     

     

  • Make sure that new policies has been applied to the environment by running : gpupdate /force
  •  

     

     

  • The trap has been set. All you have to do now is to wait for the victim to step in your trap. Unfortunately there is no sound or alarm to notify you that the victim is in trap. What you have to do is to check the trap yourself. For this reason Event Viewer should be checked in hourly basis. Open Event Viewer console.
  •  

     

     

  • Locate System events in Windows Logs. The event ID which you have to look for is 4771 with Kerberos source. You can filter the whole Security logs to show 4771 events only. Sort the events according to their date and double click on of the recent events which presenting  4771 as Event ID.
  •  

     

  • These events belong to all failure audits in your environment. Don’t be surprised with huge amount of logs. You have to look for one which is indicating to the user account which is being locked out repeatedly. As you can see in the picture below the “Client Address” field pointing to the source of the problem. What now? See next step. 

  •  

     

  • All you have to do now is to log on to that client (in this case 172.29.115.3) and check everything which you think is involved in this problem. I mentioned some of the common reasons in the beginning of the post but as an overall, check Service accounts, Mapped drives, Credential Manager, Bad passwords, Scheduled tasks,.. .

  •  

    About Mahdi

    Post Archive

    Limit Active Directory user login to 1 session

    Written By Mahdi Tehrani on Wednesday, 02 August 2017 10:21

    The auditor of auditors: 'LepideAuditor Suite'

    Written By Mahdi Tehrani on Tuesday, 23 May 2017 10:56

    Protect your domain against WannaCry malware

    Written By Mahdi Tehrani on Sunday, 14 May 2017 09:42

    ‘List Object Mode’ in Active Directory, a myth or future settings?

    Written By Mahdi Tehrani on Thursday, 13 April 2017 08:47

    Fix Group Policy error 1058

    Written By Mahdi Tehrani on Saturday, 30 April 2016 09:32

    Statistics

    Map