QUICK REFERENCE GUIDE

Locating Account Lockout Source NETWRIX ACCOUNT LOCKOUT

EXAMINER FREE TOOL
To effectively troubleshoot account lockout, enable auditing at the domain level for the security events
netwrix.com/go/ale
and change some of the settings for the Security event logs as described in the “Active Directory Quick
Reference Guide”. Instead of bushwhacking through cryptic
logs and system Events use Netwrix
Microsoft Account Lockout and Management Tools Account Lockout Examiner to locate

Microsoft “Account Lockout and Management Tools” include AlTools.exe. Download and install the lockout source.

AlTools package on your domain controller.

Download

LockoutStatus Tool

• This tool displays information about a locked out account with its User State and Lockout Time on each POWERSHELL
Domain Controller and allows to unlock it right-clicking the corresponding entry.
• Filter the event log for events that are
• Run the LockoutStatus.exe > File menu > Select target > Define Target User Name and Target related to a certain account:
Domain Name > OK Get-EventLog -LogName Security |
?{$_.message -like
"*locked*USERNAME*"} | fl -property *

EventCombMT Tool • Use PowerShell script from How to Find

Account Lockout Source.
• This tool gathers specific events from several different servers to one central location.

• Run the EventCombMT.exe > Right Click on Select to search field > Choose Get DCs in Domain > Mark
your Domain Controllers for search. NETLOGON

• Click the Searches menu > Built In Searches > Account Lockouts Netlogon is Windows Server process that
NOTE: for Windows Server 2008 and above replace Event ID field values with 4740. authenticates users and other services
within a domain. Checking Netlogon log
• Click Search and wait for the process to complete the operation.
may help you a lot investigating persistent
• After the search is done the output directory contains the log files for the domain controllers where lockout incident.
events with the specified Event ID’s were found.
Enable Netlogon Logging:

Start > Run > type in:

nltest /dbflag:2080ffff > OK
Netwrix Account Lockout Examiner (Free Tool)
After you restart Netlogon service,

To troubleshoot lockouts more easily, download, extract and launch Netwrix Account Lockout Examiner. related activity may be logged to
%windir%/debug/netlogon.log
• Specify the locked account name, with the domain → If necessary, specify credentials with NOTE: You can parse Netlogon logs with
administrator access to your IT infrastructure → Click Examine. batch script:

• Review the lockout details right from the ALE window, or get a report by clicking the View type netlogon.log |find /i
"0xC000006A“ > bad_password.txt
Details button. type netlogon.log |find /i
"0xC0000234“ > user_locked.txt

Don’t forget to disable Netlogon logging

after you have captured events as
Common Root Causes for Account Lockouts
performance of system may be slightly
• Persistent drive mappings with expired credentials • Programs using stored credentials degraded by logging process.

• Mobile devices using domain services • Disconnected Terminal Server sessions Disable Netlogon Logging:

Start > Run > type in:

• Service Accounts using cached passwords • Active Directory replication issues
nltest /dbflag:0 > OK
• Scheduled tasks with expired credentials • Misconfigured domain policy settings
QUICK REFERENCE GUIDE

Account Lockout Troubleshooting NOTE

How to Troubleshoot Common Lockout Causes: Passwords from the SYSTEM context can’t
be seen in the normal Credential Manager!
• Persistent drive mappings with wmic /netuse
To check for these:
• Mobile devices connected to Exchange – use Get-ActiveSyncDeviceStatistics PowerShell cmdlet.
• Download Microsoft PsExec.exe and copy
• Windows task scheduler – there could be a task configured to run using the problematic account. it to C:\Windows\System32

• Applications or services – there could be a service/tool/application that is trying to run using • From a command prompt run:
outdated credentials. Use Process Hacker or Process Monitor to see active processes’ credentials. psexec -i -s -d cmd.exe

• Stored credentials: • In new CMD window type:

rundll32 keymgr.dll, KRShowKeyMgr
• Start > Run > rundll32 keymgr.dll, KRShowKeyMgr > OK

• One can also use Netplwiz (Windows Server 2008 or above): • Remove items that appear in the list of

Start > Run > type in: netplwiz > OK Stored User Names and Passwords.

Click Advanced tab and then click Manage Passwords.

• Terminal Server session – there could be a session with outdated credentials. OTHER POSSIBLE CAUSES:

To kill RDP session run following commands in command prompt (Win+R > “cmd”), replacing • AD Federation Services:
“server_ip”, “name” and “password” with necessary credentials:
• New password was not replicated

• net use \\server_ip /USER:name password to AD Federation Services.

This logs you in to the remote server without using RDP. • Brute force and denial of service
attacks on AD Federation Services.
• query session /server:name
• DCOM objects – sometimes a computer
Replace “name” with the server’s name. You get the session ID here.
requires a restart after changing user
• reset session id /server:server_ip password – to apply setting to DCOM objects
This terminates the active session on your remote server. that are using these credentials.

• AD Replication – password update have not replicated to all domain controllers. • RADIUS server authenticating WiFi access
To force replication run following command on your DC: repadmin /syncall /AdeP against AD and the user has an incorrect
password.
• Firewall logs, ISA server logs – in case your RD gateway server is exposed to the Internet, lockouts
may indicate brute-force attacks. • Web application that is authenticating by
attempting to bind to LDAP against a DC and
user's browser has a bad password saved in
Password Manager vault.

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539