Skip to main content

Troubleshoting Account ID Locked in Windows AD Domain Environment

I am pretty sure this issue occurred to almost all Wintel or Service Desk Engineers - User came to us, make a report saying that his or her ID was locked, and he or she did not know why (or did they?).



Nevertheless, I have compiled on how I checked and resolved this issue in my environment, hopefully it will help yours too.


Issues :

 Troubleshooting Account Locked

Troubleshooting 
  1.  Download Account Lockout and Management Tools from here.

  2. Get it extracted.

  3. Launch LockoutStatus.exe

  4. Go to File | Select Target...

  5. Put in target user name, domain, and if needed alternate domain admin credential. Press OK once done.

  6. Collecting data...


  7. In here, we can see a few important info such as the DC names, ID state, bad password count, last bad password, etc etc. This is the example of ID locked by a single DC (usually PDC emulator).


    This is the example of the ID locked by 2 different DC (PDC emulator and another DC).

Resolution :
  1.  Take note on the time when the ID locked (column locked Time). Right click at on the DC, and click at Manage

  2.  Computer Management console of that DC launched. navigate to Security log, and choose to filter the log

  3. Configure the filter as below, then press OK.

    Logged :     from when till when - make sure the the locked time is within this timeline. I will just leave it as default.

    Event ID : 4771
  4.  The log will be filtered accordingly.

  5.  At (nomally) exact locked time, you can see an event logged with below info 
  6. Focus on Network Information portion. It will list which device is giving the problem based on IP address.

  7.  Depending on account lockout threshold, you may see authentication failure events logged for the same user. In my case, the same event logged for 3 times.

  8.  Now we narrowed down to which machine, we should by now can guess why it locked. If there is disconnected session at that machine, kill it. If the user set an application to authenticate using his/her ID, then change the password / use service ID.
Reference 
Labels:

Comments

Post a Comment

Popular posts from this blog

How To Change NetBIOS Name of A Computer

So yes... After 4 months without new contents, so I started with this. It looks easier to do (well, it is), but before you do that, you may want to read this  to understand the difference between hostname and netBIOS, then starts to explore on when to use them, their limitations etc etc. I won't discuss here (or maybe not today). So let's back to the topic.   Description : Changing NetBIOS Name of A Computer. ComputerName : NetBIOS : How To Do :  Go to Start > Run , and type REGEDIT  Browse to Computer > HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > ComputerName > ComputerName At the right side, double click at ComputerName string, and put correct Value data . Press OK .  Then you will get this Reboot your computer / VM. Once it is up, double check your netBIOS name. New name shall be reflected
3 comments
Read more

Session Settings Not Listed in Citrix Web Interface web site.

In previous post , I mentioned on what need to be done by users in case the publsihed applications did not successfully launched in seamless mode. However, in some cases, users might not be able to see the option. This post will help to solve it. Issues : Session Settings preference is not listed in Citrix Web Interface web site. This is due to the option is not enabled. It can be checked at Citrix Web Interface Management Console. Troubleshooting   Launch Citrix Web Interface Management Console . Browse to Citrix Web Interface > XenApp Web Sites . You will see lists of created Sites.  Right click at the required farm URL.  Choose S e ssion Preference  This window will appeared. Browse to Remote Connnection > Display . You will see the option " Allow users to customize window size " is unchecked . Resolution : Check the option " Allow users to customize window size ", and press OK  Get users to refresh the Web
2 comments
Read more

Microsoft Assessment and Planning (MAP) Toolkit - Extract Report (3/4)

As mentioned in  the first post , this KB series is about Microsoft Assessment and Planning (MAP) Toolkit. There are 4 main steps : Install MAP Toolkit and its basic configuration Collect inventory Data  Extract Report Extract Advanced Report Once inventory data collected, we can generate reports. From the inventory data collected earlier, we can use options in the toolkit to generate the report. For this example, we re going to discover Windows 10 Readiness This KB is about  how to generate report from collected inventory data. At Overview page, select the targeted scenario category. In this example, it is Desktop . At this page, select specific scenario that we after. In this example, it is Windows 10 Readiness.     It is possible to customize assessment properties. The properties will set the threshold of the assessment, such as, threshold for minimum CPU speed, acceptable free disk, as well as minimum assigned RAM. To do so, select Customize assessment pr
Post a Comment
Read more