MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Troubleshooting Active Directory account lockout issues

AD/Exchange pro does often face an issue for which there is little documentation available on internet – User Account lockouts.

I know this, because I have been troubleshooting an account lockout issue for a while with minimal help. So, here we go – My guide for troubleshooting Active Directory account lockout issues

Before entering advanced troubleshooting mode we need to ensure we cover all the basics:

  1. Exchange ActiveSync mobile devices
  2. Apple MobileMe – contacts sync
  3. Applications / Web applications/ Tools which sync with Active Directory for authentication
  4. Vault for credentials in Windows Control Panel or Credential manager
  5. Stored usernames and passwords – rundll32.exe keymgr.dll, KRShowKeyMgr
  6. Rename AD Profile on the user machine

Let’s look at each in detail:

  1. Exchange ActiveSync mobile devices – Yes EAS devices, EAS devices and EAS devices. 80% of account lockout issues are caused by an “unknown” device trying to sync with your Exchange mailbox and when you ask the user he would say – “What do you mean a mobile device – I already told ya”… J

    DO NOT listen to the user:

    In Exchange management Shell run this:

    Get-ActiveSyncDeviceStatistics -Mailbox MeeraNair

    This is going to return all the devices the user is using right now and past devices which have established connection with Exchange at least once.

    FirstSyncTime : 5/3/2011 2:52:38 AM

    LastPolicyUpdateTime : 3/8/2012 3:32:24 PM

    LastSyncAttemptTime : 3/8/2012 6:11:53 PM

    LastSuccessSync : 3/8/2012 6:11:53 PM

    DeviceType : iPhone

    DeviceID : Appl6DxxxxxxS

    DeviceUserAgent : Apple-iPhone3C1/901.405

    Identity : Meera.Nair@msexchangeguru.com\AirSync-iPhone-Appl6DxxxxxxS

     

    FirstSyncTime : 7/7/2011 1:38:44 AM

    LastPolicyUpdateTime : 3/8/2012 6:14:20 PM

    LastSyncAttemptTime : 3/8/2012 7:34:09 PM

    LastSuccessSync : 3/8/2012 7:34:09 PM

    DeviceType : iPhone

    DeviceID : Appl6QxxxxxxS

    DeviceUserAgent : Apple-iPhone3C1/901.405

    Identity : Meera.Nair@msexchangeguru.com\AirSync-iPhone-Appl6QxxxxxxS

Now, educate the user that these are the devices which are syncing with his mailbox and they have his username and password stored. So, look at the LastSyncAttemptTime and make sure it is not an EAS device which is trying to authenticate him.

2. Apple MobileMe – Contacts sync – Check and ensure the user hasn’t configured MobileMe to sync his contacts from Outlook. If this is configured with AD credentials, it can be a reason for account lockout

3. Applications / Web applications/ Tools which sync with Active Directory for authentication: You heard it right. There might be third party applications which are running which may have AD username and password stored within and lot of times the moment the user open applications like Internet explorer / browser, the application or the tools, it will try to authenticate in the background and lock the password.

4. Vault for credentials in Windows Control Panel or Credential manager: This is the second most obvious reason the user might get locked out. In my case, the user had an intranet SharePoint web portal and the AD credentials where cached in Credential manager. To open credential manager:


Make sure Windows Credentials area is empty

    

5. Stored usernames and passwords – This shouldn’t be a problem in most cases, but better safe than sorry. Open a run windows and type rundll32.exe keymgr.dll, KRShowKeyMgr and delete stored passwords if any

6. Rename AD Profile on the user machine: This is more like trying to fix the issue without knowing what’s causing it. This is under the assumption that account lockout happens when the user is logged into his client machine. If the account lockout is caused from an application or “something” from that machine, rename the AD profile on the client from “Documents and Settings in XP and Users in Win7”, advise the user to login again and monitor the situation.

Now let’s look at some advanced troubleshooting steps.

Using the Microsoft Lockout Status tool

  1. Download Lockout Status tool from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465 on to a New Folder in a client machine.
  2. After extracting the downloaded file, you will have the files below:

3. Open LockOutStatus.exe and click File –> Select Target As –> Type the username and User Logon Name as Target User Name (the one which is getting locked out ) and click OK as indicated below:



Please ensure that the tool is running on any machine

4. This will then process the records through all the domain controllers. You can keep a close eye on the column Bad PWD Count.

5. If the account gets locked out frequently, the Bad Password count keeps increasing. Make a note of that GC which indicates a Bad PWD Count of any value more than 0. Also note that the same value will be indicated by the primary domain controller in the domain which can be ignored.

In this case, I will login to DC01 and all the domain controllers in this site and set the following registry:

  • Open regedit with an account that has necessary permissions and move to:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

  • Create a new DWORD Value with the name DBFlag and a Hexadecimal value 2080ffff.
6. Once this is set, restart Netlogon service on DC01 and then wait for the Account to lockout.
7. Once the account locks out, ensure that Domain controller that locked out the account again from LockoutStatus.exe and take the Netlogon.log file from C:\Windows\Debug.
8. Bring the Netlogon.log to the client machine which has the Lockout Status tool installed and open nlparse.exe from the Lockout Status Tools download.

Click File –> Open and Browse the Netlogon.log location


9. Once the file is browsed, chose the 2 status codes 0xC000006A and 0xC0000234 and click Extract.

Once the extraction is complete, it will indicate a Pop-Up as indicated below:

10. There will be 2 new files in the location of the Netlogon.log file in the Client machine – A new CSV and a summary output file.

11. Open the CSV file and filter the User Alias for the recent lockout:


This indicates that DC01 received the lockout from DC07.

In this case, you can perform Steps 6 to 12 again on DC07 and check the machine that the lockout occurs from.

In my case, I found that DC07 was receiving the lockout from a Cisco Secure ACS Appliance which helped me find that the account was being locked out due to incorrect password to connect to Wi-Fi from a MAC Apple Device. With the help of an the MAC Address provided by the Team that managed the ACS Appliance, we identified that the user has an iPod that was trying to connect to the Wifi and locking out the user due to incorrect password info…

Again, if none of this works contact Microsoft PSS.

Meera Nair

Team@ MSExchangeGuru

Keywords: Active directory account getting locked out, AD lockout issue, Active directory credentials getting locked out, AD account getting locked frequently

29 Responses to “Troubleshooting Active Directory account lockout issues”

  1. Wizkid Says:

    Good one Meera

  2. Seneej K Kareem Says:

    Well explained.

  3. Mohammad Darwish Says:

    Thank you for your great job

  4. Sunder Says:

    Good One

  5. John Ranjith Says:

    Good one

  6. Raj Says:

    Thanks for the insight, i believe this is the common problem we have been dealing with MS released AD. I would appreciate if guru’s would provide some insight how to make this task automatic using script to alert administrator’s with complete report.
    Thanks again..

  7. Wane Says:

    really helpful Thank you

  8. syed Says:

    Hi Guru,

    Good information provided, can u pls provide script for resolving Account lockout boz every 2 Hours users call A/C lockout.

  9. Mosandl.eu Says:

    […] this article is from http://msexchangeguru.com/2012/03/08/ad-lockout/ […]

  10. sunsky Says:

    Great!! saved me from wasting my time 🙂

  11. Ramil Says:

    Thank you very much. We’ve been having problem with one user that keeps getting locked and with your article, helped us realized that the culprit is his iPhone.

  12. diaa Says:

    thanQ

  13. Roy Says:

    Great Info ! Last Friday only, i got a very much similar issue. So, was thinking hard on what can be causing that. Can’t just wait to resolve this thing now. Hopefully all this bunch of info will somewhere lead to its closure. THanks!

  14. Johngy Says:

    Great Info Mera, rocks 🙂

  15. Khalid Ahmed Says:

    Excellent Mate. Now that’s what I call a good troubleshooting day.

  16. dagnoko Says:

    Thank you for this excellent post; I figured out the machine sending the wrong credentials, cleared the windows credential cache..but I think an application is still sending credentials…is there a way to spot it? or any idea how to reset all connections?

    Thank you in advance for your help

  17. Andrew Says:

    Any suggestions for if the source computer field in the CSV file from nlparse is blank?

  18. Troubleshooting Active Directory account lockout issues | Mosandl.eu Says:

    […] Diejenigen: http://msexchangeguru.com/2012/03/08/ad-lockout/ […]

  19. nobla Says:

    Great article, love the bit that says “DO NOT listen to the user” I checked the users personal phone and they had set up a connection on that. Problem solved!

  20. Deepak Says:

    I know this is an old post. But I came here searching for this very reason.

    Though we have a help desk in the company they were also losing patience with me as I call them everyday.

    My problem was a mobile phone OWA client which I had configured long back but not using now.

    Thanks so much for this info. Excellent in depth analysis.

  21. Tharun Bavananth Says:

    HI,

    We at Kinixsys solutions have developed a tool called “active Assist” which assists in solving the Active directory user account problems such as password reset problems, account lock problems and many more relative issues without breaching the security standards of the Industry.

    For more information regarding the same please do write to us at

    tharun.b@kinixsys.com

  22. Raul CG Says:

    Amazing! Thank you for this post, it saved me, I was 4 hours troubleshooting through our 3 DC’s and finally the point #5 solved the issue, it was weird as when I was prompted I set up the same current password and anyway my account got locked up.

    Thank you!!!!

  23. Jaidev Says:

    Nice!!! Great explanation…

  24. Siddhant Says:

    Awesome explanation.

    Thank you but my user issue still not resolved.

  25. Jordan Says:

    Great post. Saving me from tons of trouble….

  26. andresparnova Says:

    Nice article !
    Here is another informative resource which summarizes the steps to identify the source of account lockout in active directory – https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

  27. Prabhat Nigam Says:

    then you might need some additional help. Open a ticket with Microsoft or look for professional services.

  28. builimrevk Says:

    Thanks, this site is extremely useful

  29. Kam Says:

    Guru peeeeeeeeeeeeeeeeerrrrrrrrrrrfact…

    How sweet….

Leave a Reply

migrate exchange to office 365

Categories

Archives