Tracking Down Cause of Locked Active Directory Account

posted 17 Jul 2014, 02:20 by Tristan Self
With the prevalence of mobile devices this is becoming more of a problem, you have a user who comes in every day and swears blind nothing has the wrong password, but something is locking them out.

Here is how to fix it:

1. Firstly you must ensure that you are logging the stuff correctly on your domain controllers. Ensure your "Default Domain Controller Policy" has these settings, or create a new GPO at this level and then set the settings under the GPO to this:

Default Domain Controllers Policy->Policies->Windows Settings->Security Settings->Local Policies/Audit Policy
  • Audit Account Logon Events = Failure
  • Audit Account management = Success, Failure
  • Audit Directory Service Access = Failure
  • Audit Logon Events = Failure
  • Audit Object Access = No Auditing
All other settings should not be set to "undefined."

2. If you have made changes, wait for it to apply the policy shouldn't take long.

3. You'll see new "Audit Failure" events logged on the domain controller "Security" log now all being well, these are people getting it wrong.

4. Now download the Account Lockout tool:

5. Run this on the server, selecting the target user (person being locked out) and domain, this will then tell you which domain controllers that are seeing the lock out.

6. Hook onto that server to investigate the event log, specifically the "Security" log.

7. Now to filter things you can do two things, one: click on "Filter Current Log.." and enter the event ID: as 4771 (Windows 2008)

Alternatively you can click on the "XML":

  <Query Id="0" Path="Security">
    <Select Path="Security">*[EventData[Data[@Name='TargetUserName']="USERNAME"]]</Select>

This will show you where the lockouts are coming from and the IP address of the device, then from there you can track it down through DHCP to get a Mac address.