YourComputer.in
TechBlog by Ravi Chopra
Skip to content
  • Home
  • Interview Questions
  • Windows
  • Citrix
  • VMWARE
  • Log In|Log Out

Windows AD Account lockout numerous time a day

By Ravi Chopra | January 29, 2018
0 Comment

Windows AD Account lockout numerous time a day

Here are the steps to troubleshoot the AD account lockout issue occurring numerous time a day. It will cover to trace the bad computer name from where account is locking out and steps to clear the cache

You can use tool like eventcombMT to connect log on other dc’s and look for particular event ID. EventCombMT tool download – http://support.microsoft.com/kb/824209

Then go to Searches> Built in searches> Account lockouts > Then add the user id that is frequently locking out in the text> click search. You will get the details which systems get the lockout.

Did you try  Account Lockout and Management Tool?
http://www.microsoft.com/downloads/details.aspx?familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

We can run the LockoutStatus.exe on domain controller to identify and investigate the account lockout issue.

By using this tool, we can gather and displays information about the specified user account including the domain admin’s account from all the domain controllers in the domain. In addition, the tool displays the user’s badPwdCount value on each domain controller. The domain controllers that have a badPwdCount value that reflects the bad password threshold setting for the domain are the domain controllers that are involved in the lockout. These domain controllers always include the PDC emulator operations master.

Once we identify the Domain Controller that is locking out the user account (you can also check the locked account on PDC DC). Check the event Security log for event id “4740-A user account was locked out” it will tell you the bad computer name on that the particular account is locking out.

Once we confirm the problematic computer, we can perform further research to locate the root cause. Actually, there are many possible causes for bad password, such as cached password, schedule task, mapped drives, services, etc. Please remove the previous password cache which may be used by some applications and therefore cause the account lockout problem.

Troubleshooting steps:
1. Click Start, click Run, type “control userpasswords2” (without the quotation marks), and then click OK.
2. Click the Advanced tab.
3. Click the “Manage Password” button.
4. Check to see if these domain account’s passwords are cached. If so, remove them.
5. Check if the problem has been resolved now.

Common Causes for Account Lockouts

Programs:

Many programs cache credentials or keep active threads that retain the credentials after a user changes their password.

Service accounts:

Service account passwords are cached by the service control manager on member computers that use the account as well as domain controllers. If you reset the password for a service account and you do not reset the password in the service control manager, account lockouts for the service account occur. This is because the computers that use this account typically retry logon authentication by using the previous password. To determine whether this is occurring, look for a pattern in the Netlogon log files and in the event log files on member computers. You can then configure the service control manager to use the new password and avoid future account lockouts.

Bad Password Threshold is set too low:

This is one of the most common misconfiguration issues. Many companies set the Bad Password Threshold registry value to a value lower than the default value of 10. If you set this value too low, false lockouts occur when programs automatically retry passwords that are not valid. Microsoft recommends that you leave this value at its default value of 10. For more information, see “Choosing Account Lockout Settings for Your Deployment” in this document.

User logging on to multiple computers:

A user may log onto multiple computers at one time. Programs that are running on those computers may access network resources with the user credentials of that user who is currently logged on. If the user changes their password on one of the computers, programs that are running on the other computers may continue to use the original password. Because those programs authenticate when they request access to network resources, the old password continues to be used and the users account becomes locked out. To ensure that this behavior does not occur, users should log off of all computers, change the password from a single location, and then log off and back on.

Stored user names and passwords retain redundant credentials:

If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. For more information about Stored User Names and Passwords, see online help in Windows XP and the Windows Server 2003 family.

Scheduled tasks:

Scheduled processes may be configured to using credentials that have expired.

Persistent drive mappings:

Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, please type net use /persistent:no. Alternately, to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive.

Active Directory replication:

User properties must replicate between domain controllers to ensure that account lockout information is processed properly. You should verify that proper Active Directory replication is occurring.

Disconnected Terminal Server sessions:

Disconnected Terminal Server sessions may be running a process that accesses network resources with outdated authentication information. A disconnected session can have the same effect as a user with multiple interactive logons and cause account lockout by using the outdated credentials. The only difference between a disconnected session and a user who is logged onto multiple computers is that the source of the lockout comes from a single computer that is running Terminal Services.

Service accounts:

By default, most computer services are configured to start in the security context of the Local System account. However, you can manually configure a service to use a specific user account and password. If you configure a service to start with a specific user account and that accounts password is changed, the service logon property must be updated with the new password or that service may lock out the account.

Internet Information Services:

By default, IIS uses a token-caching mechanism that locally caches user account authentication information. If lockouts are limited to users who try to gain access to Exchange mailboxes through Outlook Web Access and IIS, you can resolve the lockout by resetting the IIS token cache. For more information, see “Mailbox Access via OWA Depends on IIS Token Cache” in the Microsoft Knowledge Base.

MSN Messenger and Microsoft Outlook:

If a user changes their domain password through Microsoft Outlook and the computer is running MSN Messenger, the client may become locked out. To resolve this behavior, see “MSN Messenger May Cause Domain Account Lockout After a Password Change” in the Microsoft Knowledge Base.

 

VN:F [1.9.22_1171]
Please Rate & Comment !
please wait...
Rating: 3.8/5 (6 votes cast)
Windows AD Account lockout numerous time a day, 3.8 out of 5 based on 6 ratings

More from my site

  • Windows 2008 R2 backup issueWindows 2008 R2 backup issue
  • How to delete older files using command promptHow to delete older files using command prompt
  • Arcserve UDP | A backup SolutionArcserve UDP | A backup Solution
  • Active Directory Interview questions with answersActive Directory Interview questions with answers
  • What Snapshot files are created of Virtual Machine?
  • Windows 2012 New Feature: IP address management (IPAM)Windows 2012 New Feature: IP address management (IPAM)
Category: Active Directory Windows Tags: AD Account is getting locked, ad account lockout event id, AD Account Lockout Issue
blank

About Ravi Chopra

I am an IT professional working in the industry for the last 12 years. I am here to share my Technical experience and knowledge with all of you.

View all posts by Ravi Chopra →
Post navigation
← Google Chromecast vs Amazon Fire Stick | Which one is better? How to check WWN and Multipathing on Windows Server →

Categories

  • Active Directory (16)
  • Citrix (4)
  • Comparisons (1)
  • Device Review (1)
  • Internet Marketing (1)
  • Internet TV (1)
  • Interview Questions (11)
  • Migration (1)
  • Server 2008 (5)
  • Server 2012 (9)
  • Taxiation (1)
  • VMWARE (14)
  • VSS (1)
  • Windows (46)

Tags

2003 2008 Active Directory Active Directory questions and answers bootable check WWN Convert Virtual Disk Convert Virtual Disk from Thin to Thick DNS Server DNS Server 2008 Emulex fcinfo forcely from Thin to Thick HA HBAanyshere HBAnyware utility High Availability Hitachi Storage How to check How to check WWN and Multipathing on Windows Server hp ilo Interview questions Multipathing pen drive RDP reset ilo password SAN Surfer SANsurfer utility storage explorer uninstall citrix VSS Writers VSS Writers commands to fix the issues windows windows 7 windows 2008 R2 backup windows 2012 windows cluster windows server windows server 2008 windows server 2012 WWN WWN and Multipathing WWPN

Youtube Channel

subscribeSubscribe to my channel
«
Prev
1
/
1
Next
»
loading
play
Upgrade Active Directory from Windows Server 2012/2008 to 2016
play
Configure Windows DHCP for High Availability / Failover on Server 2016
play
Create Sale and Purchase GST Bill in Busy
play
Arcserve UDP 6.5 Installation
«
Prev
1
/
1
Next
»
loading

Archives

  • November 2018
  • October 2018
  • September 2018
  • January 2018
  • August 2017
  • July 2016
  • August 2014
  • June 2014
  • May 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • September 2013
  • July 2013
  • June 2013
  • April 2013
  • February 2013
  • January 2013
  • November 2012
  • October 2012

More from my site

  • Windows 2008 R2 backup issueWindows 2008 R2 backup issue
  • How to delete older files using command promptHow to delete older files using command prompt
  • Arcserve UDP | A backup SolutionArcserve UDP | A backup Solution
  • Active Directory Interview questions with answersActive Directory Interview questions with answers
  • What Snapshot files are created of Virtual Machine?
  • Windows 2012 New Feature: IP address management (IPAM)Windows 2012 New Feature: IP address management (IPAM)

Recent Posts

  • How to count number of objects in active directory
  • How to Upgrade Active Directory from 2008/2012 to Server 2016
  • Configuring High Availability on DHCP Server Role
  • DNS Error | A new record cannot be created
  • Windows Cluster Interview Questions and Answers
Copyright 2017
YourComputer.in
Iconic One Theme | Powered by Wordpress