Forum Discussion

Ianlevy36's avatar
Ianlevy36
Copper Contributor
Nov 15, 2024

Account lockouts

Has anyone else noticed account lockouts propagating for not apparent reason on AD for server 2016

We now have multiple clients experiencing the issue, with little to go on in terms of logging.

  • kyazaferr's avatar
    kyazaferr
    Steel Contributor
    1. Review Event Viewer logs for Event ID 4740 and check the source of the failed login attempts (IP address, machine, etc.).
    2. Audit client machine configurations and ensure that no credentials are cached or stored incorrectly.
    3. Update the Account Lockout Policy to balance security and usability.
    4. Use LockoutStatus or other tools to trace back the source of the lockouts more efficiently.
  • kyazaferr's avatar
    kyazaferr
    Steel Contributor

    Check for Stale Credentials or Password Changes

    • Stale cached credentials: Sometimes, after a user changes their password, applications or services may continue to use the old password stored locally or cached on the client machine, leading to failed login attempts and lockouts.
    • Mapped drives or network shares: If users have persistent mapped drives or network shares that rely on their credentials, these can still be using old credentials if the password has been recently changed.

    Solution:

    • Ensure users are logging out and back in after a password change.
    • Review Group Policy settings related to cached credentials or logon scripts that might be using outdated credentials.

    Look for Active Sessions with Expired Credentials

    • Sometimes, there are still active sessions on old systems or applications that hold onto expired credentials. For example, if a user accesses a network resource via SMB or a legacy application that uses stored credentials, this can lead to lockouts.

    Solution:

    • Use netstatPowerShell, or Task Manager to check for active sessions on devices that may be holding old or incorrect credentials.
    • Review Event Viewer logs for "Logon/Logoff" events and failed logins.

    Account Lockout Policy Misconfigurations

    • If the Account Lockout Policy in AD is too strict (e.g., low thresholds for failed logins or short lockout durations), this could lead to unintended lockouts, especially if users or services are hitting the limit.

    Solution:

    • Review your Account Lockout Policy in Group Policy:
      • Open the Group Policy Management Console (GPMC).
      • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.
      • Check settings like Account lockout thresholdLockout duration, and Reset account lockout counter after.

    Check for Service Account Issues

    • If service accounts (e.g., SQL, IIS, or Exchange service accounts) are used incorrectly or passwords have been changed without updating the service configuration, this could lead to lockout events as the service accounts attempt to authenticate using old or incorrect credentials.

    Solution:

    • Identify which service accounts are being used in your environment, and check their Event Viewer logs for failed login attempts.
    • Review the service configurations to ensure that all accounts are correctly updated with the correct password.

     

    Examine Event Logs for Detailed Information

    • Event ID 4740 (Account Lockout) is the key event to look for in the Security Event Logs on the Domain Controllers. This event will show the account name and the source of the lockout (IP address, machine name, etc.).

    Solution:

    • On the Domain Controller, open Event Viewer and navigate to:
      • Windows Logs > Security.
      • Filter for Event ID 4740 to see which accounts are being locked out.
      • Check the Caller Computer Name or Source Network Address fields to determine which machine or service is causing the lockout.

    7. Account Lockout Tools

    • Microsoft offers tools such as Account Lockout and Management Tools (ALTools), which include the LockoutStatus tool. This can help trace the source of account lockouts and provide more visibility into the problem.

    Solution:

    • Download and use LockoutStatus.exe to pinpoint the machine or service that’s causing the lockout.

    8. Network and Firewall Issues

    • Sometimes, network configurations or firewalls can cause authentication requests to be routed incorrectly, leading to failed login attempts. If your AD environment spans multiple sites or subnets, network misconfigurations can trigger lockouts.

    Solution:

    • Ensure that DNSfirewalls, and network routes are correctly configured, and that clients can reach the correct domain controllers.

    9. Group Policy or Script Issues

    • Misconfigured or outdated logon scripts or Group Policy settings may result in multiple failed login attempts due to incorrect settings or expired credentials.

    Solution:

    • Review Group Policies related to logon scripts and ensure that they are correctly configured for all users.

    10. Multi-Factor Authentication (MFA) Conflicts

    • If your environment has MFA enabled, check if any issues with authentication processes or agents could lead to repeated failed login attempts.

    Solution:

    • Look at the MFA logs and confirm that the setup is not causing delays or repeated authentication prompts.

Resources