Figuring out which task/service is locking my machine out

Discussion in 'Networking & Security' started by Trepidati0n, Aug 7, 2017.

  1. Trepidati0n

    Trepidati0n [H]ardForum Junkie

    Messages:
    8,875
    Joined:
    Oct 26, 2004
    Our IT guy is a bit swamped right now and trying to figure out how to solve this issue. Recently after a password reset something on my machine did not update with the new credentials. It was confirmed it was "my machine" doing it (not a machine I was logged onto somewhere else). Is there any guide out there to track down the offender? I have the lockout status app from MS but not sure how to use it beyond it telling me "yes, something is doing bad passwords".
     
  2. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    If the attempt is inside your network and you are talking about domain credentials, you should be able to glean some information from the security event log on the domain controller for which its trying to authenticate. More in-depth details and insights come from third-party tools, unfortunately... but you should be able to track hostname and other information from the event viewer on the DC.
     
  3. Biznatch

    Biznatch 2[H]4U

    Messages:
    2,224
    Joined:
    Nov 16, 2009
    ^ This. You should be able to log on any DC to see the lockout event and which actual DC server was hit to cause the lockout. Then log on that DC and see the actual failed calls that forced the lockout.

    9 times out of 10, it's something with outlook/exchange causing the lockout with old creds. It keeps retying bad creds until it gets locked out. This is also why it's recommended to not have lockout turned on at the domain level, as it's more trouble than it's worth and can be used as an attack vector (Locking out admins from their own accounts etc.).
     
  4. Vengance_01

    Vengance_01 [H]ardness Supreme

    Messages:
    5,865
    Joined:
    Dec 23, 2001
    Don't forget about manually mapped network drives tied to your account if you have them.
     
  5. fluke420

    fluke420 Gawd

    Messages:
    898
    Joined:
    Jul 9, 2003
    Security Event Logs; Event ID 4740