Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 HALP! Questions on Windows and Windows Server
 Active Directory
 User locked out after password change		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

rrue
Here To Stay

150 Posts
Status: offline
Posted - 08/01/2012 :  4:48:35 PM  Show Profile  Visit rrue's Homepage  Reply with Quote
Hello All,

Got a user who changed his password and is now getting regularly locked out due to an unchanged password somewhere on his phone/laptop/workstation/something.

I'm attempting to identify the device from the Event Viewer on the DC that's locking him out. I can find an event 4740 showing when his account but nothing that shows the failed attempt that sparked it.

Is there some way to spot the event that will identify the device and maybe even app that's locking him out?

Hope to hear from you,

Randy in Seattle

JeffWouters
Here To Stay

Netherlands
147 Posts
Status: offline
Posted - 08/02/2012 :  04:29:58 AM  Show Profile  Visit JeffWouters's Homepage  Click to see JeffWouters's MSN Messenger address  Look at the Skype address for JeffWouters  Reply with Quote
I know of some issues regarding this when using Citrix CAG and/or Microsoft TMG... haven't got a clue about the solution though (my customer simply gave them a new user account.. they're into quick fixes and not finding root causes).
Finding the app that's the cause will be challenging, don't know of any way to actually do this. Finding the device however should be possible.
First, set your AD logging to verbose and search through the logs again when the issues occurs again. (PowerShell way to quickly do this: http://jeffwouters.nl/index.php/2012/05/powershell-searching-for-the-cause-of-a-user-account-that-keeps-getting-locked-out )
If you don't find anything in the logs, try taking a look at the logs of the TMG server or whatever you use to secure your remote access.
Greetsz,
Jeff.
Go to Top of Page

mm_0_mm
Old Timer

USA
561 Posts
Status: offline
Posted - 08/02/2012 :  10:03:57 AM  Show Profile  Reply with Quote
The account lockout tools from Microsoft will display the time and domain controller and source of the bad passwords...

http://www.microsoft.com/en-us/download/details.aspx?id=18465
Go to Top of Page

St0ne_c0ld_316
Seasoned But Casual Onlooker

51 Posts
Status: offline
Posted - 08/02/2012 :  12:37:55 PM  Show Profile  Reply with Quote
mm_0_mm is spot on.
Download the tools and LockoutStatus will tell you which DC is looking the account out.
From there you should be able to get the IP of the machine or device causing the lockout.
EventCombMT can help you if you have many domain controller - it's already configured for that (include events 529, 644, 675, 676, and 681)
Go to Top of Page

JSCLMEDAVE
Administrator

USA
6115 Posts
Status: online
Posted - 08/02/2012 :  2:27:28 PM  Show Profile  Visit JSCLMEDAVE's Homepage  Click to see JSCLMEDAVE's MSN Messenger address  Reply with Quote
99% of the time here, it's their iPhone, Droid or iPad using an old password.
Tim-

“This too shall pass"
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.12 seconds. Snitz Forums 2000