{"id":60,"date":"2014-07-17T20:24:00","date_gmt":"2014-07-17T20:24:00","guid":{"rendered":"http:\/\/geekmungus.co.uk\/?p=60"},"modified":"2022-11-05T10:53:19","modified_gmt":"2022-11-05T10:53:19","slug":"tracking-down-cause-of-locked-active-directory-account","status":"publish","type":"post","link":"https:\/\/geekmungus.co.uk\/?p=60","title":{"rendered":"Tracking Down Cause of Locked Active Directory Account"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">With the prevalence of mobile devices this is becoming more of a problem, you have a user who comes in every day and swears blind nothing has the wrong password, but something is locking them out.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here is how to fix it:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Firstly you must ensure that you are logging the stuff correctly on your domain controllers. Ensure your &#8220;Default Domain Controller Policy&#8221; has these settings, or create a new GPO at this level and then set the settings under the GPO to this:<\/li><\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>Default Domain Controllers Policy->Policies->Windows Settings->Security Settings->Local Policies\/Audit Policy\n\nAudit Account Logon Events = Failure\n\nAudit Account management = Success, Failure\n\nAudit Directory Service Access = Failure\n\nAudit Logon Events = Failure\n\nAudit Object Access = No Auditing\n\nAll other settings should not be set to \"undefined.\"<\/code><\/pre>\n\n\n\n<ol class=\"wp-block-list\" start=\"2\"><li>If you have made changes, wait for it to apply the policy shouldn&#8217;t take long.<\/li><li>You&#8217;ll see new &#8220;Audit Failure&#8221; events logged on the domain controller &#8220;Security&#8221; log now all being well, these are people getting it wrong.<\/li><li>Now download the Account Lockout tool: http:\/\/www.microsoft.com\/en-gb\/download\/details.aspx?id=15201<\/li><li>Run this on the server, selecting the target user (person being locked out) and domain, this will then tell you which domain controllers that are seeing the lock out.<\/li><li>Hook onto that server to investigate the event log, specifically the &#8220;Security&#8221; log.<\/li><li>Now to filter things you can do two things, one: click on &#8220;Filter Current Log..&#8221; and enter the event ID: as 4771 (Windows 2008)<br><br>Alternatively you can click on the &#8220;XML&#8221;:<\/li><\/ol>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;QueryList>\n  &lt;Query Id=\"0\" Path=\"Security\">\n\n    &lt;Select Path=\"Security\">*&#91;EventData&#91;Data&#91;@Name='TargetUserName']=\"USERNAME\"]]&lt;\/Select>\n  &lt;\/Query>\n&lt;\/QueryList><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">This will show you where the lockouts are coming from and the IP address of the device, then from there you can track it down through DHCP to get a Mac address.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/community.spiceworks.com\/how_to\/show\/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/community.spiceworks.com\/how_to\/show\/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"http:\/\/www.manageengine.com\/products\/active-directory-audit\/help\/getting-started\/manual-configuration-dc-auditing.html\" target=\"_blank\" rel=\"noreferrer noopener\">http:\/\/www.manageengine.com\/products\/active-directory-audit\/help\/getting-started\/manual-configuration-dc-auditing.html<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the prevalence of mobile devices this is becoming more of a problem, you have a user who comes in every day and swears blind nothing has the wrong password, but something is locking them out. Here is how to fix it: Firstly you must ensure that you are logging the stuff correctly on your &#8230; <a title=\"Tracking Down Cause of Locked Active Directory Account\" class=\"read-more\" href=\"https:\/\/geekmungus.co.uk\/?p=60\" aria-label=\"Read more about Tracking Down Cause of Locked Active Directory Account\">Read more<\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[27,14],"tags":[],"class_list":["post-60","post","type-post","status-publish","format-standard","hentry","category-active-directory","category-microsoft-windows"],"_links":{"self":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/60","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=60"}],"version-history":[{"count":1,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/60\/revisions"}],"predecessor-version":[{"id":1459,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/60\/revisions\/1459"}],"wp:attachment":[{"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=60"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=60"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/geekmungus.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=60"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}