Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Active Directory Lock Out


  • Please log in to reply
4 replies to this topic

#1 thomaja

thomaja

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 03 September 2017 - 09:31 PM

Hi!  I have a question with many answers but I'm hoping more experienced could give me some insight on something I've been running into for years working on a First Level Support service desk.  I'll sometimes get a caller who is getting a string of lockouts.  We unlock them in ARS (our ad tool) or log access the ADUC module via term server and the password they were using prior works and the user is able to continue.  The user will call back in a few hours, locked out again.  This will continue throughout the users shift.  There are usually no new password changes.  Usually I'd send this up as a high priority, but the user will still experience this through their shift.  The next time they log in, no issue.  I'm not sure what to make of this.  I usually tell the users it may be because of updates or slow server or network slowness but I think if any of that were true it would impact a cluster of users and not just one.  I'm not looking to run to my server team with your ideas and I'm not really looking for a course in server management, just a few ideas so I can understand this a little better.  Let me know if you need more info, thanks for any info.  


Edited by thomaja, 03 September 2017 - 09:35 PM.


BC AdBot (Login to Remove)

 


m

#2 x64

x64

  • Members
  • 351 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:08:23 PM

Posted 04 September 2017 - 12:38 AM

Possibly a mobile phone attempting to connect with an outdated stored password, or something else with an outdated saved password (connection to a share, etc) You could get the user to check in credentials manager on of the systems that he/she uses for such a password.

 

If neither of those ideas identifies the issue, then you could look in the domain controller security logs for the failed connection attempts and trace them back from there.

 

x64



#3 thomaja

thomaja
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:23 PM

Posted 04 September 2017 - 01:30 AM

Possibly a mobile phone attempting to connect with an outdated stored password, or something else with an outdated saved password (connection to a share, etc) You could get the user to check in credentials manager on of the systems that he/she uses for such a password.

 

If neither of those ideas identifies the issue, then you could look in the domain controller security logs for the failed connection attempts and trace them back from there.

 

x64

Thank you for your response!  I will try both!  I appreciate it!



#4 sflatechguy

sflatechguy

  • BC Advisor
  • 2,126 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:23 PM

Posted 04 September 2017 - 09:30 AM

Ditto @x64.

 

At our place, the user likely receives company emails on their phone, or connects to the office WiFi, and the WiFi or email connection is still trying to authenticate with an outdated password, so they keep getting locked out.

 

Another fairly common scenario is a user will RDP into another machine or a server, or they'll log into a company web portal (and tell the browser to store their credentials), and when they're done, rather than log out they will simply terminate the session. Their password changes, and then they start getting locked out regularly.



#5 i2D_

i2D_

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 16 September 2017 - 07:56 AM

Just DL and use the AD lockout tool created by Microsoft (link below). then check which DC its original lock was from(unless you already know), filter the sec event logs for 4740 and trace it back to the source.

 

Works 100% of the time as I always use this method. its funny because most people dont seem to know how to trace locks.

 

https://www.microsoft.com/en-gb/download/details.aspx?id=18465

 

 

If its coming from a mobile device with the mailbox linked to it, use activesync and remove the device.


Edited by i2D_, 16 September 2017 - 07:58 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users