There are two useful utilities “LockoutStatus.exe”, which shows the state of a specific account on each domain controller (useful to identify which DC is locking out the account) and “eventcombMT.exe” which gathers the event logs from all the DC’s and parses them for specific events.Īlthough the package runs on 2008 and later OS’ (you need to run it as an administrator, with read access to your domain controller event logs), it only searches for the Event IDs that were valid for Server 2003 and earlier. I suspected that he had used his account to run a service, or other automated task on a server and I needed to find out which one.Īs I’d previously used the Microsoft “Account Lockout and Management Tools”, I downloaded the latest version from here ( ). I asked him to check for any script or something he has using his account but he said nothing he remembers.One of my colleagues’ account was constantly being locked out. For the DC4 it has only the 4740 what just says the DC4 itself. In the Windows Logs I was looking for event ID 47. So, is there another way to check the real source of blocking an account? We reverted his password back to the one before all of this started and he is fine of course, but we need to figure this out. I tried using wireshark to see some logs but wasn't lucky, maybe I just used a bad filter search, but for some integrations I have LDAPS. we basically use the AD users/groups for everything. We have many integrations with others applications, using LDAP protocol to authenticate users, etc. I just logged him out and not more logs saying about those 2 machines.īut he is still getting locked out in the DC5 and the logs say just the computer name of the domain controller and of course he is not logged in there. Logs were saying explicitly the machine name so it was easy and the domain controller for that region let's call DC4. Looking at the logs I found 2 machines he was "disconnected" in the RDP and I logged him out from there. I have one specific user that after he changed it's password he is getting locked out (password expiration due date). I have a Windows domain with AD and it has 10 DC in different networks. I have a big problem that I need some help, please.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |