Find out where and why an Account Lockout happened


Where Account Lockouts save us from brute force password attacks and help us standardize our environment for password policies, sometimes it can be painful to troubleshoot and find out why and where it happened. Microsoft does provide us with the ‘Account Lockout Management Tools’ suite which can be very handy to diagnose the root cause of an account lockout.

  • · AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).
  • · ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
  • · ALoInfo.exe. Displays all user account names and the age of their passwords.
  • · EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.
  • · EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.
  • · LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed. The latest version available is 1.0.0.60.
  • · NLParse.exe. Used to extract and display desired entries from the Netlogon log files.

Unfortunately, I didn’t find good documentation of how to quickly make good use of these tools when my domain admin account started getting mysteriously locked out after I had changed my password due to the policy in place. From my experience I found Lockout Status and EventComb MT to be most useful from the suite.

I knew the common causes why my account would get locked out due to one of the reasons listed here : See this but I needed to figure out what is the offending machine or service thats providing my old credentials to a DC thats causing the account to be locked out.

I started out launching Lockout Status tool and selected my domain admin account as ‘target’ from the file menu and running it. It gave me list of all the DCs with the status of my account and more importantly the DC the lockout happened on in the ‘Orig Lock’ tab towards the right of the program screen. I then launched the Event CombMT piece and right clicked in the white space in the search area and added the DC the lockout originated at. I choose from ‘Option’ menu where I wanted to output the file as txt or CSV. I chose ‘Security’ as log files search option for all event types and then putting ’644′ as the event id and clicked on search.

It outputted the CSV file in the area I had specified and I was able to see that it found the event 644 for my ID on 6 different machines across the domain, it was listed under ‘Caller Machines Name’ column, (I know its bad administration on my part to sometimes disconnect my terminal sessions instead of logging off). Sure enough when I logged on to those machines I immediately saw the following notifications.

 

 

I had to log off and log back in to clear out the error. After that, I ran the Lockout Status tool again and noticed the lock status for my domain admin account had been cleared out.

Conclusion: Never leave your account logged on somewhere (or have a service run under your user context) and lock the machines or disconnect the remote session without logging off, and when using tools like Remote Desktops (which can be useful and allow you to have a list of machines you remote in frequently during the day), make sure you don’t save your passwords in the session configurations.

More Resources:

Download the Microsoft Account Management Tools

Technet Resource on how to maintain and manage the account lockout

WindowsSecuirty.com-Implementing and Troubleshooting Account lockout

[UPDATE] : For Windows Server 2008 R2, the event ID has changed http://technet.microsoft.com/en-us/library/dd772693%28WS.10%29.aspx

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: