With the prevalence of mobile devices this is becoming more of a problem, you have a user who comes in every day and swears blind nothing has the wrong password, but something is locking them out.
Here is how to fix it:
- Firstly you must ensure that you are logging the stuff correctly on your domain controllers. Ensure your “Default Domain Controller Policy” has these settings, or create a new GPO at this level and then set the settings under the GPO to this:
Default Domain Controllers Policy->Policies->Windows Settings->Security Settings->Local Policies/Audit Policy
Audit Account Logon Events = Failure
Audit Account management = Success, Failure
Audit Directory Service Access = Failure
Audit Logon Events = Failure
Audit Object Access = No Auditing
All other settings should not be set to "undefined."
- If you have made changes, wait for it to apply the policy shouldn’t take long.
- You’ll see new “Audit Failure” events logged on the domain controller “Security” log now all being well, these are people getting it wrong.
- Now download the Account Lockout tool: http://www.microsoft.com/en-gb/download/details.aspx?id=15201
- Run this on the server, selecting the target user (person being locked out) and domain, this will then tell you which domain controllers that are seeing the lock out.
- Hook onto that server to investigate the event log, specifically the “Security” log.
- Now to filter things you can do two things, one: click on “Filter Current Log..” and enter the event ID: as 4771 (Windows 2008)
Alternatively you can click on the “XML”:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='TargetUserName']="USERNAME"]]</Select>
</Query>
</QueryList>
This will show you where the lockouts are coming from and the IP address of the device, then from there you can track it down through DHCP to get a Mac address.