F5F Stay Refreshed Software Operating Systems Addressing Domain Lockouts Find effective solutions to resolve domain lock issues.

Addressing Domain Lockouts Find effective solutions to resolve domain lock issues.

Addressing Domain Lockouts Find effective solutions to resolve domain lock issues.

G
GlowStick_
Junior Member
Find
7
09-18-2016, 06:29 PM
#1
We have one specific user who locks her account out several times a day. There's no rhyme or reason why. I've done remote sessions with her to assist in updating her password. I've cleared all cached credentials from Credential Manager. I've disabled every scheduled task that ran as her domain account. There's nothing showing in the event logs for any of her lockouts. We have Solarwinds monitoring in place that knows the lockout comes from her laptop (as opposed to her phone). I'm completely at a loss for this, and several of us have tried with no luck. There's no pattern to the time in which she locks out. Is there some kind of software I can load on her laptop that will give me some details, such as what applications or process is causing this to happen?
Reply
Reply
G
GlowStick_
09-18-2016, 06:29 PM #1

We have one specific user who locks her account out several times a day. There's no rhyme or reason why. I've done remote sessions with her to assist in updating her password. I've cleared all cached credentials from Credential Manager. I've disabled every scheduled task that ran as her domain account. There's nothing showing in the event logs for any of her lockouts. We have Solarwinds monitoring in place that knows the lockout comes from her laptop (as opposed to her phone). I'm completely at a loss for this, and several of us have tried with no luck. There's no pattern to the time in which she locks out. Is there some kind of software I can load on her laptop that will give me some details, such as what applications or process is causing this to happen?

Reply
Reply
X
Xo_PVP_Girl_oX
Senior Member
Find
500
09-18-2016, 06:51 PM
#2
Error logs appear on the ADC for her account. For details on log formats, visit the provided link. You might consider replacing or reinstalling her PC to eliminate the issue, which would help confirm if the original machine caused the problem.
Reply
Reply
X
Xo_PVP_Girl_oX
09-18-2016, 06:51 PM #2

Error logs appear on the ADC for her account. For details on log formats, visit the provided link. You might consider replacing or reinstalling her PC to eliminate the issue, which would help confirm if the original machine caused the problem.

Reply
Reply
D
da_mitch
Member
Find
147
09-23-2016, 03:35 PM
#3
Obtain a copy of lockoutstatus.exe and determine which DC is initiating the lockout. Navigate to the controller associated with security event ID 4740. At the alert’s bottom, locate the ‘caller computer’—the device responsible for the lockout. If you lack these details, event 4776 could provide additional context. Select a suspect device and review typical sources: Security event 4625 offers failure reasons and caller processes. Search for the process name to understand its function. If no process is found, consider these options: Services—filter by ‘log on as’ and verify user accounts are inactive; Task Scheduler—ensure no scheduled tasks run under the user account; Email—some clients rely on basic auth, so update passwords promptly; Windows Credential Manager—clear all entries; RADIUS wifi—disable corporate networks and re-enroll if needed; Smartphone—reset if applicable. If no caller computer is present, disable ActiveSync and OWA in exchange settings and check associated devices for emails. If the caller computer remains unknown, enable NTLM auditing on domain controllers and inspect logs post-lockout. Third-party solutions like ManageEngine ADAuditPlus or Lepide Auditor can assist in identifying the issue.
Reply
Reply
D
da_mitch
09-23-2016, 03:35 PM #3

Obtain a copy of lockoutstatus.exe and determine which DC is initiating the lockout. Navigate to the controller associated with security event ID 4740. At the alert’s bottom, locate the ‘caller computer’—the device responsible for the lockout. If you lack these details, event 4776 could provide additional context. Select a suspect device and review typical sources: Security event 4625 offers failure reasons and caller processes. Search for the process name to understand its function. If no process is found, consider these options: Services—filter by ‘log on as’ and verify user accounts are inactive; Task Scheduler—ensure no scheduled tasks run under the user account; Email—some clients rely on basic auth, so update passwords promptly; Windows Credential Manager—clear all entries; RADIUS wifi—disable corporate networks and re-enroll if needed; Smartphone—reset if applicable. If no caller computer is present, disable ActiveSync and OWA in exchange settings and check associated devices for emails. If the caller computer remains unknown, enable NTLM auditing on domain controllers and inspect logs post-lockout. Third-party solutions like ManageEngine ADAuditPlus or Lepide Auditor can assist in identifying the issue.

Reply
Reply