Netwrix

Account Lockout
Examiner
User Guide
Version: 5.1
7/16/2020
Legal Notice

The information in this publication is furnished for information use only, and does not constitute a
commitment from Netwrix Corporation of any features or functions, as this publication may describe
features or functionality not applicable to the product release or version you are using. Netwrix makes no
representations or warranties about the Software beyond what is provided in the License Agreement.
Netwrix Corporation assumes no responsibility or liability for the accuracy of the information presented,
which is subject to change without notice. If you believe there is an error in this publication, please report
it to us in writing.

Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix product
or service names and slogans are registered trademarks or trademarks of Netwrix Corporation. Microsoft,
Active Directory, Exchange, Exchange Online, Office 365, SharePoint, SQL Server, Windows, and Windows
Server are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. All other trademarks and registered trademarks are property of their respective
owners.

Disclaimers

This document may contain information regarding the use and installation of non-Netwrix products.
Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure
that this information accurately reflects the information provided by the supplier, please refer to the
materials provided with any non-Netwrix product and contact the supplier for confirmation. Netwrix
Corporation assumes no responsibility or liability for incorrect or incomplete information provided about
non-Netwrix products.

© 2020 Netwrix Corporation.

All rights reserved.

2/14
Table of Contents
1. Netwrix Account Lockout Examiner overview 4

1.1. Upgrade recommendations 4

2. Planning and preparation 5

2.1. System requirements 5

2.2. Accounts and rights 5

2.3. Licensing 6

2.4. Target infrastructure 6

2.4.1. Target systems and platforms 6

2.4.2. Inbound firewall rules 7

2.4.3. Ports 7

2.4.4. Recommended network security settings 7

2.4.5. Required audit settings 8

3. Examining lockouts 10

3.1. Troubleshooting 11

4. Feature comparison of Netwrix Account Lockout Examiner 4.1 and 5.1 13

3/14
 Netwrix Account Lockout Examiner User Guide

1. Netwrix Account Lockout Examiner overview

1. Netwrix Account Lockout

Examiner overview
Netwrix Account Lockout Examiner helps IT administrators to discover why an Active Directory account
keeps locking out, so they can quickly identify the lockout reason and restore normal operations.

You can investigate lockouts originating from the following sources:

l Applications running on workstations

l Microsoft Exchange ActiveSync devices

l Microsoft Outlook Web Access (including mobile devices)

l Mistyped credentials (interactive logons with incorrect password)

l Terminal Server Sessions

l Windows Credential Manager

l Windows Task Scheduler

l Windows Services

1.1. Upgrade recommendations

Since the functionality of older and newer versions does not match one-to-one (see Feature comparison of
Netwrix Account Lockout Examiner 4.1 and 5.1), there is no upgrade path for Netwrix Account Lockout
Examiner 4.1 .

Though its users can continue working with that older version, we recommend to use the latest Netwrix
Account Lockout Examiner to benefit from the variety of its new features and enhanced usability.

NOTE: We welcome any feedback and ideas you might have, so you can check in on Netwrix page at
Spiceworks or submit direct feedback via this link.

4/14
 Netwrix Account Lockout Examiner User Guide

2. Planning and preparation

2. Planning and preparation

Before you start using Netwrix Account Lockout Examiner, check the prerequisites and set up your
environment, as described in this section.

2.1. System requirements

Make sure that the machine where you plan install the solution meets the system requirements listed
below.

Hardware:

Specification Requirement

CPU min 1.5 GHz

Memory 1 GB RAM

Disk space 20 MB

Software:

Specification Requirement

OS Both 32-bit and 64-bit of the following operating systems are supported:

l Windows Server 2019

l Windows Server 2016

l Windows Server 2012 R2

l Windows Server 2012

l Windows 10

l Windows 8.1

2.2. Accounts and rights

1. The computer where Account Lockout Examiner will run must be a member of the domain where
lockouts happen.

5/14
 Netwrix Account Lockout Examiner User Guide

2. Planning and preparation

2. The account used to run the application must be a member of the following groups:

a. Domain Admins group (to retrieve the necessary data from domain controllers.)

b. Local Administrators group on the workstation where lockouts happen (to access the Security
event log.)

NOTE: In the environments with root/child domains, the account used to run Account Lockout Examiner
should be a member of the local Administrators group on the workstations in both root and child
domains.

2.3. Licensing
Account Lockout Examiner is shipped with a free pre-configured license that will be valid until a newer
version becomes available. You will be notified on the new version release by the corresponding message
displayed in the product. Then you will need to download that new version.

2.4. Target infrastructure

For the solution to connect to and retrieve the necessary information from the Windows machines that
may become the potential lockout reasons, your infrastructure should meet the requirements listed below.

2.4.1. Target systems and platforms

The following Windows machines are supported as examination targets:

l Windows Server 2019

l Windows Server 2016

l Windows Server 2012 R2

l Windows Server 2012

l Windows 10

l Windows 8.1

The solution can work with the following Exchange Server versions to retrieve information needed for
lockout reason detection:

l Exchange Server 2019

l Exchange Server 2016

l Exchange Server 2013

6/14
 Netwrix Account Lockout Examiner User Guide

2. Planning and preparation

2.4.2. Inbound firewall rules

Make sure the following Inbound firewall rules are enabled on the Domain Controllers and domain
computers:

l File and Printer Sharing (Echo Request - ICMPv4-In)

l Remote Event Log Management (RPC)

l Remote Service Management (NP-In)

l Remote Scheduled Tasks Management (RPC)

l Remote Volume Management (RPC -EPMAP)

l Windows Management Instrumentation (WMI-In)

2.4.3. Ports
The following TCP ports should be open on the Domain Controllers and domain computers:

l Port 135 — for communication using RPC

l Dynamic ports 1024-65535 — for internal communication

2.4.4. Recommended network security settings

Security researches revealed that NTLM and NTLMv2 authentication is vulnerable to a variety of malicious
attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks.

To make Windows operating system use more secure protocols (e.g. Kerberos version 5), the outgoing
NTLM authentication traffic should be disabled for the machine where Netwrix Account Lockout Examiner
will run. (See also this Microsoft article.)

For that, you need to set the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote
servers policy setting to Deny All. This can be done locally on the machine hosting Netwrix Account
Lockout Examiner, or via Group Policy.

To disable outgoing NTLM authentication traffic locally:

1. Run secpol.msc.

2. Browse to Security Settings\Local Policies\Security Options.

3. Set the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers setting to
Deny All.

7/14
 Netwrix Account Lockout Examiner User Guide

2. Planning and preparation

To disable outgoing NTLM authentication traffic via Group Policy:

1. Open gpmc.msc.

2. Find the Group Policy Object (GPO) that is applied to the machine where Netwrix Account Lockout
Examiner runs.

3. Edit this GPO. Browse to Computer Configuration\Windows Settings\Security Settings\Local

Policies\Security Options.

4. Set the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers setting to
Deny All.

5. On the machine hosting Netwrix Account Lockout Examiner run the following command via the
command prompt: gpupdate /force

2.4.5. Required audit settings

You can configure either Advanced audit policies or Basic audit policies for the target machines. See
Scenario A or Scenario B, respectively.

Scenario A: Advanced audit policies

Enable the following Advanced audit policies for the target machines:

Audit entry Event ID Success/Failure

Account Logon

Audit Credential Validation 4776 Failure

Audit Kerberos Authentication Service 4771 Failure

Audit Other Account Logon Events 4776 Failure

Account Management

Audit User Account Management 4740 Success

Logon/Logoff

Audit Logon 4625 Failure

Audit Account Lockout 4625 Failure

Scenario B: Basic audit policies

Enable the following basic audit policies for the target machines:

8/14
 Netwrix Account Lockout Examiner User Guide

2. Planning and preparation

Audit entry Event ID Success/Failure

Audit logon events 4625 Failure

Audit account logon events 4776, 4771 Failure

Audit account management 4740 Success

9/14
 Netwrix Account Lockout Examiner User Guide

3. Examining lockouts

3. Examining lockouts
To start using Netwrix Account Lockout Examiner, download it from Netwrix web site. Once the
download completes, run the executable from your browser menu or from your Downloads folder.

To find out why an Active Directory account was locked out, perform the following steps:

1. Set up the auditing as described in Planning and preparation section.

2. Download the application onto a computer within the domain where lockouts happen.

3. Run the application.

4. Supply the name of the account that was locked out.

5. Specify examiner credentials – the user account that will be used to run the examination, access
domain controllers, and so on. The account must be a member of the Domain Admins group.

6. Click Examine.

Once the examination completes, you will be presented with a list of reasons why the account you supplied
is being locked out.

10/14
 Netwrix Account Lockout Examiner User Guide

3. Examining lockouts

3.1. Troubleshooting
Log files of Netwrix Account Lockout Examiner can be found in the %ProgramData%\Netwrix Account
Lockout Examiner\Logs folder.

Symptom Cause Solution

In the environments with root/child domains, The account used to run Make sure this account
you may receive the “ Could not query Netwrix Account Lockout is included in the local
ComputerName. Access is denied.” error. Examiner is not a Administrators group.
member of the local
Administrators group on
the workstations in both
root and child domains.
Administrative rights are
required to access the
Security Event logs on
these workstations.

Issues encountered during examination Most probably this l Check that you
section is shown in the examination results. means that Netwrix have configured
Account Lockout the audit settings
Examiner cannot reach in the target
some of the data sources domain as
it needs. described in
Required audit
settings section.

l Check that
network
connectivity
between the
Account Lockout
Examiner
machine and the
domain
controllers in
your domain
works properly.

11/14
 Netwrix Account Lockout Examiner User Guide

3. Examining lockouts

NOTE: We welcome any feedback and ideas you might have. Please take a minute to check in on Netwrix
page at Spiceworks or submit direct feedback via this link.

12/14
 Netwrix Account Lockout Examiner User Guide

4. Feature comparison of Netwrix Account Lockout Examiner 4.1 and 5.1

4. Feature comparison of Netwrix

Account Lockout Examiner 4.1
and 5.1
Netwrix Account Lockout Examiner 5.1 is not an evolutionary update, but rather a total revamp of version
4.1. Hence, the functionality of the older and newer versions does not match one-to-one. Feature
comparison is provided in the table below.

Feature Version 4.1 Version 5.1

Network/domain configuration

Support for multi-domain (Root-Child) No Yes

configurations

Lockout sources

Applications running on workstations No Yes

Microsoft Exchange ActiveSync devices No Yes

Microsoft Outlook Web Access (incl. mobile No Yes

devices)

Mistyped credentials (interactive logons with Yes Yes

incorrect password)

Terminal Server Sessions Yes Yes

Windows Credential Manager No Yes

Windows Task Scheduler Yes Yes

Windows Services Yes Yes

User experience

Easy to install Maybe Yes

Ease of troubleshooting Maybe Yes

13/14
 Netwrix Account Lockout Examiner User Guide

4. Feature comparison of Netwrix Account Lockout Examiner 4.1 and 5.1

Feature Version 4.1 Version 5.1

Workflow

Ability to unlock account & reset password Yes No

Web-based helpdesk portal Yes (paid version only) No

Email alerts Yes No – check Netwrix

Auditor for monitoring
and alerting capabilities

Online monitor on critical account status Yes No – check Netwrix

Auditor for monitoring
and alerting capabilities

Users of Account Lockout Examiner 4.1 can continue using that older version, as there is no upgrade path,
just a new installation of the latest version.

We welcome any feedback and ideas you might have. You can check in on Netwrix page at Spiceworks or
submit direct feedback via this link.

14/14