If you are trying to figure out how and why your account or someone in your organization here is one of the easiest way of doing this. This was the case for my manager his account suddenly would get locked out and he would need his account to be unlocked 4 or 5 times , a day and imagine he goes bananas (-:
I figured this is a very common scenario and wanted to share a secret here with you guys (-:, as always secret will be the Obvious (-:
Fist when AD account gets locked out, it happens on a particular domain controller, remember the DC is authentication server. As you would imagine related event logs gets recorded on the DC in this regard so your missing is, in which DC troubled account gets locked out? Imagine you have many DC’s (-:, no worries download account lockout
extract the files on your computer,
click on LockOutStatus.exe , insert user name you are investigation
Now you found out the DC’s the account is getting locked , all you need to do is to search specific event ID’s to find out who is the calling machine , click on eventcombMT.exe
Populates search criteria based on normal canned searches:
- 1. Gets All DCs
- 2. Selects all DCs for searching
- 3. Selects the Security Log
- 4. Selects Success and Failure Audits.
- 5. Sets the Specific IDs to 529, 539, 644,
The logs are being created in the “Temp directory” based on your search. Open the logs and locate the caller machine name
You do know what is causing the problem the calling machine is where the problem is being originated, in this example this is a workstation.
Now you narrowed the investigation and all you need to find out is, if there is a script running from this PC , could be using the user name and password for the users and causing lock outs, or same goes by for any application could be possibly doing same thing and causing the issue. I recommend using process explorer to try to indentify the source. What we will be end up doing in my case is to format the workstation because we are way to lazy (-: to go further troubleshooting!!!!
oz Casey Dedeal,
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +