Skip to main content

Active Directory Account Lockout - Narrowing Down the source

If you are in a all-windows shop where everything is nice and neat, everybody has a proper domain membership and all authentication is SSO or Windows Integrated, then you probably do not have much of a problem with repeated account lockouts.

On the other hand, if you are in a mixed environment, lots of :Linux, Mac, and unmanaged Wintendo, then you probably run into some users that manage to Lock themselves out frequently - typically for several days in a row after the account password had been changed.

Reasons can be plenty fold - typically saved credentials somewhere, like a git client, sql-server client, email client, rdp-manager, smbfs-automount, or anything that tries a bunch of logins when you start it up, or keeps trying in the background.

As a sysadmin, you don't have time to narrow it down for the end user - but they will be adamant it is not their fault, so you probably need to prove that "Yes it is" - so I use powershell to grab 4740 events from Domain Controllers, the details of them usually prove the source of the lockout was their machine.

I Separated out the username to make this slightly more readable, you could make an array of parameters to pass it all nice and neat.. One-liners are nice for quick copy and paste though - dont forget to update the domain controller hostname:

$user="username"
Get-WinEvent -ComputerName yourdomaincontroller.fqdn -LogName Security -FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$user']]" | Select-Object TimeCreated,Message | %{$_ -replace "(?ms)Message=.+Computer Name:",""}

This will produce a list of events - it is a bit crude and quick (not much time spent on that regex etc), it shows the event time and the computer that initiated it.

If you want to see the full list you can just do

$user="username"
Get-WinEvent -ComputerName yourdomaincontroller.fqdn -LogName Security -FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$user']]" | FL


Comments

  1. Thanks for publishing such great information. You are doing such a great job. This information is very helpful for everyone. Keep it up. Thanks. Read more info about Auto locksmith Baltimore

    ReplyDelete

Post a Comment

Popular posts from this blog

Cisco UCS Mini - Add Extender Chassis

If you happen to own a UCS Mini Setup, a 5108 Chassis with two Fi 6324 or similar, and you are looking for documentation on how to add another 5108 Chassis with fabric extenders (2204XP in my case), then Cisco really does not have much out there, nor is there a lot of googlable information either (Everything you find is related to standalone Fabric Interconnects and "standard" UCS). Even after calling TAC, it took a while to get something, and what they told us was not even accurate. So here is how we did it, and it worked, came up without any interruption to current chassis, network, or running profiles. Equipment Of course we used our Cisco vendor to spec the equipment, but just for reference here is the list of what we had and what we added: Original Setup 5108 Chassis  Fi 6324 (Qty 2) Ports 1-2 for Fibre Channel, and 3-4 for Ethernet (MMF) Connected to a stack of switches and pair of FC switches/SAN Running UCS version 4.0.1 (Fairly recently upgraded as of M

Linux/Unix - Create a local Certificate Authority (CA)

I get these questions all the time - people know i have some runtime with certificates and such - one question is "Can't i just issue my own certs?" - and the answer of course is yes - but I always make sure to add that it won't be any use on a public web site since no-one will trust it. So setting up your own CA is not "generally useful", it is more if you need some specific things, like issuing certificates with a single signing source for client logins or similar. Most business will have a  couple of Windows Domain controllers, if you need to sign certs for a limited set of users, what you should do is make sure some system in your windows domain runs Certificate Services, then issue certs from there, make sure any non-domain-members has a trust for that CA. If you actually do need to set up you own CA, here is one way to do it Procedure to set up your own local CA The common name for the CA cert must NOT be the same as a domain name or anything e

PHPMyAdmin Timeout Annoyance (Ubuntu 18)

Perhaps this is not worthy of a blog post - but thought it worth sharing for anyone like myself; working with 4 or 5 phpmyadmin windows open, for days on end - and i am using Ubuntu 18 LTS distro. I kept changing the 1440 seconds timeout setting in the UI, problem is that it does not save anywhere. After some digging i found this to be the best approach, likely somewhat specific to Ubuntu 18: Add new file /etc/phpmyadmin/conf.d/timeout.php with this in it: <?php $cfg['LoginCookieValidity'] = 500000000; And that is it.. you can change 500 million to something else,it is roughly 30 days.