Troubleshooting Account Lockouts

Account lockout is a feature of Windows which locks a users account after repeated logon failures. This is designed to prevent an attacker from using a brute force method of guessing the password. The downside of this is that combined with password expiry it can generate many Helpdesk calls, with users forgetting the new password.

Accounts can be locked out for other reasons after a password change, for example a scheduled task or service running under the account name will still try the old password. Remote desktop sessions and terminal server sessions that were never closed will also try to use the old password.

When you have an account that is frequently locked out then depending on the size of your network it can be difficult to track down the source of the lockouts. Your first task in this situation should be to download the Account Lockout and Management Tools supplied by Microsoft available on the Microsoft Downloads website.

The program LockoutStatus.exe will tell you on which domain controller the account is locked out and when the lockout occured. You can then examine the event log for that server to find why the lockout happened. The application EventCombMT.exe will allow you check the event logs of multiple computers. This has worked well for me especially when accounts are locked out because of a service of scheduled task.

There is an article on WindowSecurity.com detailing the various logon types which may also help your trace the reason for the lockouts.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s