Skip to main content

Active Directory Account Lockout - Narrowing Down the source

If you are in a all-windows shop where everything is nice and neat, everybody has a proper domain membership and all authentication is SSO or Windows Integrated, then you probably do not have much of a problem with repeated account lockouts.

On the other hand, if you are in a mixed environment, lots of :Linux, Mac, and unmanaged Wintendo, then you probably run into some users that manage to Lock themselves out frequently - typically for several days in a row after the account password had been changed.

Reasons can be plenty fold - typically saved credentials somewhere, like a git client, sql-server client, email client, rdp-manager, smbfs-automount, or anything that tries a bunch of logins when you start it up, or keeps trying in the background.

As a sysadmin, you don't have time to narrow it down for the end user - but they will be adamant it is not their fault, so you probably need to prove that "Yes it is" - so I use powershell to grab 4740 events from Domain Controllers, the details of them usually prove the source of the lockout was their machine.

I Separated out the username to make this slightly more readable, you could make an array of parameters to pass it all nice and neat.. One-liners are nice for quick copy and paste though - dont forget to update the domain controller hostname:

$user="username"
Get-WinEvent -ComputerName yourdomaincontroller.fqdn -LogName Security -FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$user']]" | Select-Object TimeCreated,Message | %{$_ -replace "(?ms)Message=.+Computer Name:",""}

This will produce a list of events - it is a bit crude and quick (not much time spent on that regex etc), it shows the event time and the computer that initiated it.

If you want to see the full list you can just do

$user="username"
Get-WinEvent -ComputerName yourdomaincontroller.fqdn -LogName Security -FilterXPath "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$user']]" | FL


Comments

Popular posts from this blog

Introducing Sau MGM - Small to medium Business Information technology management

I am (slowly) working on a project called SauMGM - a small/medium business IT-Department administration utility, database and more.
I will also use this blog to post helpful hints and tricks, some logs of things I have been doing, as well as a place to just store things for myself, such as remembering how to do certain things. I ofetn find myself not remembering the exact syntax on things i do occasionally, like openssl specifics.
I have been doing systems and network administration since 1999, and I am still very much hands on in all kinds of projects and technologies.

Home made SAN Migration

The topic sounds more elaborate than it is - alternative title could be "Hackjob SAN volume backup and restore".
The SetupIn a legacy-style SAN and Compute setup, I have an EMC Unity 450F box deployed with Fibre Channel (FC) to a Cisco UCS (Unified Compute System). I am booting the UCS blades off the SAN, running vmware with Block/LUN DataStores, and one blade running Windows.
I also have a Dell R740 server in the mix, with a Qlogic HBA as well as onboard storage.
The Situation Not in production yet, but we had spun up a few VMs, and all our blades had been installed, esx and vcenter running, a few VM's, and including the physical Windows blade, and the R740.

Then we discovered that the Unity had no SFP+ ports in it, and I need to do replication - swearing my vendor up and down, I call EMC, and they are sending out NIC modules and guy to install it. BUT, because we have to remove a module to insert a new one, the whole SAN box has to be reset to Factory setting (!!!). My…

New Lines - Windows/Unix/Linux/MacOS - viM

If you deal with scripts and other text files and move between platforms you probably discovered this "issue".
Only the founding developers can explain why they chose what they did - googling about will show you a couple of different explanations - whatever the reasons, here are the differences and how to convert.
The formats The Characters in use (referenced in OS info below)LF Usually referred to as LF  or Line feedAscii code decimal 10Hex: A or 0xAOctal: 12 or O12Typical Escaped character in many shells and languages: \nCRUsually referred to as CR or Carriage ReturnAscii code decimal 13Hex D or 0xDTypical Escaped character in many shells and languages: \r Unix, Linux, and Modern MacOS - The POSIX standard Each Line ends with a single character:  LF
Most programming languages will understand/interpret this format properly.
Simple Windows programs, like the built in Notepad will not show this properly.

Windows (and DOS) Each line ends with two consecutive characters in this …