sc302 Veteran Posted October 31, 2014 Veteran Share Posted October 31, 2014 Anyone using any tools that are better than Microsofts Account Lockout tools. The microsoft tools are a good help in determining the computer from where the lockouts are occurring from, however I think there could be better tools in determining computer, IP, and process causing the lock out at the time of lockout vs identifying the lockout then running tools to determine the process from where the lockout is coming from if the account gets locked out again. For those that need something and don't have anything: http://www.microsoft.com/en-us/download/details.aspx?id=18465 To have eventcombmt.exe to run properly in a 2008+ server envrionment, you will have to run as administrator and do not use the built in search for account lock outs and in the text field put in the user name. If you need help with this I can help, it is easy to get started with it. But again, I am looking for something better than this, if you have nothing this is a good tool set to have. Link to comment Share on other sites More sharing options...
Odom Member Posted October 31, 2014 Member Share Posted October 31, 2014 There are probably tons of tools with all-in-one that provide that information. Solarwinds probably has a solution for that. Where I work I find it pretty easy to get that information, as log as you have a timeframe. I use the LockoutStatus tool to find out where the bad passwords came from. Then you have a DC and a timeframe. Check the event logs on the DC and then you have the process and source IP. They are now finishing the implementation of a tool from ArcSight that is supposed to provide all this information in one place (essentially a monitoring tool). Link to comment Share on other sites More sharing options...
sc302 Veteran Posted October 31, 2014 Author Veteran Share Posted October 31, 2014 I have been through the event logs around the time of lockout, and short of where the computer name that the lockout is occurring from there isn't enough information to go on regarding what caused the lockout (whether it be a call from webmail, a call from a actual computer logging in at boot up, a call from a service, a call from a scheduled application, etc). Need accuracy not speculation or hypothesis. For instance, I have a macbook that seems to have caused the lockout. The macbook cannot logon to the network, between the mac addresses not being allowed on the lan and the computer not being able to join the domain by itself and being able to put it in a specific group that would give it access, it cannot have a direct connection to the network. The macbook can logon through the web to access webmail, that is about it. There isn't enough information to be able determine that is the cause, and that is the only way that this computer can attempt to logon. Link to comment Share on other sites More sharing options...
Roger H. Veteran Posted November 28, 2014 Veteran Share Posted November 28, 2014 Anyone mind posting some of these awesome tools that are out there. I used the mentioned stuff and found some info but as sc203 says, it doesnt give enough info. I 2 users now that keep getting locked out so i'm trying to find out too. --------------------- Also Moved to Server Support. Link to comment Share on other sites More sharing options...
Praetor Posted November 28, 2014 Share Posted November 28, 2014 i usually see the machine the DC logs; then when proceed to find if it's an app (that as cached creds) or if Windows, for some reason, store creds and didn't updated them (i delete the stored creds). Works every time. Link to comment Share on other sites More sharing options...
Roger H. Veteran Posted November 28, 2014 Veteran Share Posted November 28, 2014 http://www.netwrix.com/account_lockout_examiner.html Anyone try that. Free and according the them it's just a more advanced version of the MS tool. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted November 28, 2014 Author Veteran Share Posted November 28, 2014 I ended up reimaging the troubled computers. Nothing in cached creds, nothing in services, no mapped network drives as user. There was something in two computers that was the root cause which disappeared after reimage. But couldn't find after an hour of searching....another hour and the computers were reimaged, updated, and ready for user use. Need to find cause fast because imaging so far is the fastest resolution. Link to comment Share on other sites More sharing options...
sc302 Veteran Posted January 30, 2015 Author Veteran Share Posted January 30, 2015 Roger, this may help you out with account lockouts, you won't have to wait for users to contact you. Create a scheduled task on your ad servers (all domain controllers) to send an email alert to you via your mail server. Start by making a powershell script, open up notepad and paste the following in changing items as needed. The path and file name that I used in this example will be c:\scripts\acc_lockout.ps1 $Event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1 $MailBody= $Event.Message + "`r`n`t" + $Event.TimeGenerated $MailSubject= "User Account locked out" $SmtpClient = New-Object system.net.mail.smtpClient $SmtpClient.host = "mailserver.domain.local" $MailMessage = New-Object system.net.mail.mailmessage $MailMessage.from = "AcctLockNotify@domain.com" $MailMessage.To.add("roger_h@domain.com") $MailMessage.IsBodyHtml = 0 $MailMessage.Subject = $MailSubject $MailMessage.Body = $MailBody $SmtpClient.Send($MailMessage) you can create a xml file and import it into your scheduled tasks with the below code. It will call powershell and run a script c:\scripts\acc_lockout.ps1 <?xml version="1.0" encoding="UTF-16"?> <Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Date>2015-01-30T11:46:23.8986253</Date> <Author>sc302</Author> </RegistrationInfo> <Triggers> <EventTrigger> <Enabled>true</Enabled> <Subscription><QueryList><Query Id="0" Path="Security"><Select Path="Security">*[system[EventID=4740]]</Select></Query></QueryList></Subscription> </EventTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>domain\userid</UserId> <LogonType>Password</LogonType> <RunLevel>LeastPrivilege</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession> <UseUnifiedSchedulingEngine>false</UseUnifiedSchedulingEngine> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Command> <Arguments>-file C:\Scripts\acc_lockout.ps1</Arguments> </Exec> </Actions> </Task> finally you will need to change powershell execution policy to unrestricted by running this in a powershell prompt on the server Set-ExecutionPolicy -0 Once completed it will immedately send out a message to you mail server when a user account lockout occurs. Link to comment Share on other sites More sharing options...
Recommended Posts