Domain User's Getting Locked

C

Carlosinfl

Loves the juice
Joined
Sep 25, 2002
Messages
6,633
We've installed one server with Windows Server 2003 which is running as a domain controller. I'm very annoyed due to the fact that users in the office randomly get locked and complain to me that their account's locked out. I can obviously unlock them but I can't find any location on the server logs that indicate why. There's nothing in 'Event Viewer' that explains to me why this account was locked. I'm considering ditching this server for a Linux / LDAP server since it works just as well and the log files in Linux are very detailed and verbose.

I'm obviously not sure if I'm missing something so if anyone who manages a domain controller can assist me in finding out how I can find detailed log info or basically anything that explains why users are being locked on Windows Server 2003, I would greatly appreciate it.
 
On the Domain Controller GPO, modify the Audit section; Computer Config, Windows Settings, Security, Audit ( I think. It's in that area at least, I may be a bit off ). Log auth attempts ( Success and Failure ).

Good news; this will be spread out among your DCs. But all the attempts should be against the same DC.

Now that I think about it, is this the behavior you want? If they auth fail, do you want them getting their accounts locked out? If not, that's under Comp Config, Windows Settings, Security, Account Policy, Password on the DC GPO. You may want to bump up the account auth attempts, something is trying to auth and failing, if not the user.

Finally, do you have any linux based devices on the network? I have seen these try multiple times per auth attempt, locking out the user. Typically, with NASes, but I've also seen it with Samba boxes.
 
Grab the Account Lockout Toolkit. In the package will be a program called eventcombmt.exe -- fire it up. Select Searches, Built-In Searches, and choose Account Lockouts. You might want to just start with the DCs local to the user, then expand your search -- but choose whatever DCs you want to check. Then hit the search button. It will create a text file for each DC that you can search for the users name. It will then tell you want machine is locking the user out.

It's probably something stupid like a saved password somewhere... this will at least tell you where the bad password is coming from.
 
You must log in or register to reply here.
Back
Top