Re: Account Lockout

From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 12/01/04 

Date: Wed, 1 Dec 2004 12:27:51 -0600

Hi,

The tools referenced may be better, but I have used a script to find all
locked out users and for each show the DC that locked them out, when the
last bad password was attempted, and how many bad password attempts were
made on the DC. The program is linked here:

http://www.rlmueller.net/LockedUsers.htm

As noted, the output just flags the problems. 

-- 
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--
"Mark Renoden [MSFT]" <markreno@online.microsoft.com> wrote in message
news:ueYitE11EHA.1400@TK2MSFTNGP11.phx.gbl...
> Hi
>
> The tool that Paul points to is useful.  I find it more useful in context
> with some other tools:
>
>
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
> Also review:
>
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
>
> What I generally do to troubleshoot these problems is:
>
> 1. Use lockoutstatus to determine which DC's the bad password attempts are
> registering again.
>
> 2. Enable auditing (as per the document above) and look for lockout
events.
>
> 3. From the lockout events, determine which clients they originate from.
>
> 4. Look at the frequency of events to determine if it's a user issue or
> process driven.
>
> 5. If user related, educate user.
>
> 6. If process related, implement Alockout.dll to find the offending
process.
>
> Kind regards
> -- 
> Mark Renoden [MSFT]
> Windows Platform Support Team
> Email: markreno@online.microsoft.com
>
> Please note you'll need to strip ".online" from my email address to email
> me; I'll post a response back to the group.
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "ptwilliams" <ptw2001@hotmail.com> wrote in message
> news:ex1rBvy1EHA.1192@tk2msftngp13.phx.gbl...
> > There's a free MS utility re. lockouts.
> > --
> >
http://www.microsoft.com/downloads/details.aspx?FamilyID=d1a5ed1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en
> >
> > I've not got round to playing with it yet, so can't tell you if it's
> > exactly
> > what you want or not.
> >
> > -- 
> >
> > Paul Williams
> >
> > http://www.msresource.net
> > http://forums.msresource.net
> >
> >
> > "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
> > news:298F239E-9444-4852-9A69-4ADDAC9181FB@microsoft.com...
> > I have the auditing turned on. I was hoping there was a utility that
could
> > prevent me from having to go to the 40+ servers and 70+ workstations
> > individually to look for the failed login attempts.
> >
> > "Ryan Hanisco" wrote:
> >
> >> If you think it is an issue where there is a repeated failed logon, you
> >> can
> >> see this  if you turn on auditing of domain logons.  In general, you
> >> should
> >> have this on for both Failure and Success as it will alert you to a
> >> number
> >> of potential problems/ threats.
> >>
> >> Do this via a GPO and watch for failed logon attempts.  Other than
that,
> >> you
> >> can go into more detailed auditing looking for changes to accounts, but
> >> this
> >> will probably be unnecessary if you think this is just due to failed
> >> attempts.
> >>
> >> -- 
> >> Ryan Hanisco
> >> MCSE, MCDBA
> >> Flagship Integration Services
> >>
> >> "kmkrause2" <kmkrause2@discussions.microsoft.com> wrote in message
> >> news:141C30B6-8375-4D7E-B0A9-60A23A961839@microsoft.com...
> >> > Is there a utility that can be used to determine where a particular
> >> account
> >> > is getting locked out from. I have a user's account that is getting
> >> > locked
> >> > out periodically. Most likely it's due to some service attempting to
> >> > log
> >> in
> >> > under that users' account. The account has been getting locked out
from
> >> time
> >> > to time since his last password change.
> >> >
> >> > I don't want to have to search the security event logs from all the
> >> > computers and servers on our network. Is there an easier way?
> >> >
> >> > TIA,
> >> > Ken
> >>
> >>
> >>
> >
> >
>
>

Relevant Pages

  • Re: Account Lockout
    ... Enable auditing and look for lockout events. ... >> Do this via a GPO and watch for failed logon attempts. ... I have a user's account that is getting ...
    (microsoft.public.win2000.active_directory)
  • Re: Account Lockout
    ... see this if you turn on auditing of domain logons. ... Do this via a GPO and watch for failed logon attempts. ... I have a user's account that is getting locked ... > I don't want to have to search the security event logs from all the ...
    (microsoft.public.win2000.active_directory)
  • Re: Account Lockout
    ... I have the auditing turned on. ... > Do this via a GPO and watch for failed logon attempts. ... I have a user's account that is getting ... >> I don't want to have to search the security event logs from all the ...
    (microsoft.public.win2000.active_directory)
  • Re: Question regarding Security event 12294
    ... to look in the security log to see if there are any failed logon attempts and what ... paper in that link "Account Passwords and Policies" is very good for troubleshooting ... The SAM database was unable to lockout the account of ຦ ...
    (microsoft.public.win2000.security)
  • Re: all domain accounts locked out !!!
    ... Microsoft recommends that you use a lockout threshold of no less than 10 ... enforced complex passwords in your domain ideally with a password length of ... target the administrator account. ... controllers and domain workstations for failed logon attempts that may give ...
    (microsoft.public.windows.group_policy)