AD/Exchange pro does often face an issue for which there is little documentation available on internet – User Account lockouts.
I know this, because I have been troubleshooting an account lockout issue for a while with minimal help. So, here we go – My guide for troubleshooting Active Directory account lockout issues
Before entering advanced troubleshooting mode we need to ensure we cover all the basics:
1. Exchange ActiveSync mobile devices
2. Apple MobileMe – contacts sync
3. Applications / Web applications/ Tools which sync with Active Directory for authentication
4. Vault for credentials in Windows Control Panel or Credential manager
5. Stored usernames and passwords – rundll32.exe keymgr.dll, KRShowKeyMgr
6. Rename AD Profile on the user machine
Let’s look at each in detail:
1. Exchange ActiveSync mobile devices – Yes EAS devices, EAS devices and EAS devices. 80% of account lockout issues are caused by an “unknown” device trying to sync with your Exchange mailbox and when you ask the user he would say – “What do you mean a mobile device – I already told ya”… J
DO NOT listen to the user:
In Exchange management Shell run this:
Get-ActiveSyncDeviceStatistics -Mailbox MeeraNair
This is going to return all the devices the user is using right now and past devices which have established connection with Exchange at least once.
FirstSyncTime : 5/3/2011 2:52:38 AM
LastPolicyUpdateTime : 3/8/2012 3:32:24 PM
LastSyncAttemptTime : 3/8/2012 6:11:53 PM
LastSuccessSync : 3/8/2012 6:11:53 PM
DeviceType : iPhone
DeviceID : Appl6DxxxxxxS
DeviceUserAgent : Apple-iPhone3C1/901.405
Identity : Meera.Nair@msexchangeguru.com\AirSync-iPhone-Appl6DxxxxxxS
FirstSyncTime : 7/7/2011 1:38:44 AM
LastPolicyUpdateTime : 3/8/2012 6:14:20 PM
LastSyncAttemptTime : 3/8/2012 7:34:09 PM
LastSuccessSync : 3/8/2012 7:34:09 PM
DeviceType : iPhone
DeviceID : Appl6QxxxxxxS
DeviceUserAgent : Apple-iPhone3C1/901.405
Identity : Meera.Nair@msexchangeguru.com\AirSync-iPhone-Appl6QxxxxxxS
Now, educate the user that these are the devices which are syncing with his mailbox and they have his username and password stored. So, look at the LastSyncAttemptTime and make sure it is not an EAS device which is trying to authenticate him.
1. Apple MobileMe – Contacts sync– Check and ensure the user hasn’t configured MobileMe to sync his contacts from Outlook. If this is configured with AD credentials, it can be a reason for account lockout
2. Applications / Web applications/ Tools which sync with Active Directory for authentication: You heard it right. There might be third party applications which are running which may have AD username and password stored within and lot of times the moment the user open applications like Internet explorer / browser, the application or the tools, it will try to authenticate in the background and lock the password.
3. Vault for credentials in Windows Control Panel or Credential manager: This is the second most obvious reason the user might get locked out. In my case, the user had an intranet SharePoint web portal and the AD credentials where cached in Credential manager. To open credential manager:
Make sure Windows Credentials area is empty
1. Stored usernames and passwords – This shouldn’t be a problem in most cases, but better safe than sorry. Open a run windows and type rundll32.exe keymgr.dll, KRShowKeyMgr and delete stored passwords if any
2. Rename AD Profile on the user machine: This is more like trying to fix the issue without knowing what’s causing it. This is under the assumption that account lockout happens when the user is logged into his client machine. If the account lockout is caused from an application or “something” from that machine, rename the AD profile on the client from “Documents and Settings in XP and Users in Win7″, advise the user to login again and monitor the situation.
Now let’s look at some advanced troubleshooting steps.
Using the Microsoft Lockout Status tool
1. Download Lockout Status tool from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465 on to a New Folder in a client machine.
2. After extracting the downloaded file, you will have the files below:
1. Open LockOutStatus.exe and click File –> Select Target As –> Type the username and User Logon Name as Target User Name (the one which is getting locked out ) and click OK as indicated below:
Please ensure that the tool is running on any machine
1. This will then process the records through all the domain controllers. You can keep a close eye on the column Bad PWD Count.
2. If the account gets locked out frequently, the Bad Password count keeps increasing. Make a note of that GC which indicates a Bad PWD Count of any value more than 0. Also note that the same value will be indicated by the primary domain controller in the domain which can be ignored.
In this case, I will login to DC01 and all the domain controllers in this site and set the following registry:
· Open regedit with an account that has necessary permissions and move to:
· Create a new DWORD Value with the name DBFlag and a Hexadecimal value 2080ffff.
1. Once this is set, restart Netlogon service on DC01 and then wait for the Account to lockout.
2. Once the account locks out, ensure that Domain controller that locked out the account again from LockoutStatus.exe and take the Netlogon.log file from C:\Windows\Debug.
3. Bring the Netlogon.log to the client machine which has the Lockout Status tool installed and open nlparse.exe from the Lockout Status Tools download.
Click File –> Open and Browse the Netlogon.log location
Once the file is browsed, chose the 2 status codes 0xC000006A and 0xC0000234 and click Extract.
Once the extraction is complete, it will indicate a Pop-Up as indicated below:
There will be 2 new files in the location of the Netlogon.log file in the Client machine – A new CSV and a summary output file.
Open the CSV file and filter the User Alias for the recent lockout:
This indicates that DC01 received the lockout from DC07.
In this case, you can perform Steps 6 to 12 again on DC07 and check the machine that the lockout occurs from.
In my case, I found that DC07 was receiving the lockout from a Cisco Secure ACS Appliance which helped me find that the account was being locked out due to incorrect password to connect to Wi-Fi from a MAC Apple Device. With the help of an the MAC Address provided by the Team that managed the ACS Appliance, we identified that the user has an iPod that was trying to connect to the Wifi and locking out the user due to incorrect password info…