I am pretty sure this issue occurred to almost all Wintel or Service Desk Engineers - User came to us, make a report saying that his or her ID was locked, and he or she did not know why (or did they?).
Nevertheless, I have compiled on how I checked and resolved this issue in my environment, hopefully it will help yours too.
Issues :
Troubleshooting Account Locked
Troubleshooting
- Download Account Lockout and Management Tools from here.
- Get it extracted.
- Launch LockoutStatus.exe
- Go to File | Select Target...
- Put in target user name, domain, and if needed alternate domain admin credential. Press OK once done.
- Collecting data...
- In here, we can see a few important info such as the DC names, ID state, bad password count, last bad password, etc etc. This is the example of ID locked by a single DC (usually PDC emulator).
This is the example of the ID locked by 2 different DC (PDC emulator and another DC).
Resolution :
- Take note on the time when the ID locked (column locked Time). Right click at on the DC, and click at Manage
- Computer Management console of that DC launched. navigate to Security log, and choose to filter the log
- Configure the filter as below, then press OK.
Logged : from when till when - make sure the the locked time is within this timeline. I will just leave it as default.
Event ID : 4771 - The log will be filtered accordingly.
- At (nomally) exact locked time, you can see an event logged with below info
- Focus on Network Information portion. It will list which device is giving the problem based on IP address.
- Depending on account lockout threshold, you may see authentication failure events logged for the same user. In my case, the same event logged for 3 times.
- Now we narrowed down to which machine, we should by now can guess why it locked. If there is disconnected session at that machine, kill it. If the user set an application to authenticate using his/her ID, then change the password / use service ID.
Reference
Comments
Post a Comment