(Updated) Active Directory: Account Lockout issues

Update: See the bottom of this blog on how to search SCOM event on account lockout.

When yours or user’s account locked out frequently how do you find out which computer is sending bad passwords? I got few unconventional methods apart from Microsoft’s recommendations.

First method is throw up your hands & say “I don’t know”. Just kidding . Microsoft suggests to use lockoutstatus.exe tool to see which domain controller is logging bad passwords and search the Security event log on the specific domain controller. The problem is lockoutstatus tool is NOT accurate most of the times. It doesn’t work correctly on Windows 2008 R2 domains.

You can search Event ID 4740 yourself on closest domain controller by yourself. This event ID should have the computer name which originates the bad passwords. The sample event ID 4740 looks like this:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/24/2011 7:05:54 PM
Event ID:      4740
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DomainController1.company.com
Description:
A user account was locked out.

Subject:
    Security ID:        SYSTEM
    Account Name:        DC2$
    Account Domain:        COMPANY
    Logon ID:        0x3e7

Account That Was Locked Out:
    Security ID:        COMPANY\JohnDoe
    Account Name:        Johndoe

Additional Information:
    Caller Computer Name:    \\johndoe-pc

Once you figure out the computer name, you have to check the computer for possible programs or software that locks out the computer. Check the following usual suspects,

1. Manually mapped network drives
2. Cached passwords (Credentials Manager in Windows 7, Manage passwords in Windows XP)
3. Any disconnected Remote Desktop sessions on possible servers

There is a handy-dandy powershell command I use to get the event id 4740 from the domain controllers from my laptop. Run the following commands on a Active Directory Module for Powershell (meaning Remote Server Administration Tools needs to be installed on the local computer).

Get-EventLog –ComputerName DomainControllerName -LogName Security | Where-Object {$_.EventID -eq 4740} | fl

The problem with security log on domain controllers are it rolls out very quickly. You could run the above command and collect the results on a text file, so you can have at least week worth of collected logs for troubleshooting. Or if you have SCOM servers, you can collect the event logs to SCOM database as it logged on the domain controllers.

I like my SCOM server is collecting Event Id 4740s from all domain controllers in the enterprise and save it for 3 months.  The results is searchable, alert-able and very easy to use.

If you like the SCOM idea, read further.

First you have to create a event log collecting rule. Follow the steps to author the performance collecting rule.

1. Open Operations Manager Console.
2. Click on Authoring section.
3. Click to select Rules under Management Pack Objects.
4. Click on Create a Rule on Action pane (or right click on Rule and select Create a Rule).
5. On Select a Rule Type section, expand Collection Rules –> Event Based –> NT Event Log.
6. Optional: Select your custom management pack.
7. Click Next.
8. On General section, type the rule name something descriptive. Select Event Collection as Rule Category. Select Rule Target as Active Directory DC and Global Catalog Server Role for appropriate server version.
9. Click Next.
10. On Event Log section, click on … button and select computer as one of your domain controller and select Security event log from the list.
11. Click Next.
12. On Build Event Expression section, type Event ID Equals 4740. Select Event Source and click Delete.
13. Click Create.

That’s all. Give it enough time for all domain controllers get the new rule. When any account gets locked out, you can see an Alert in Monitoring section with all details in the event log including the computer that sends bad passwords.

 

How to search SCOM alerts for specific account?

It’s really sad that Microsoft SCOM console doesn’t provide a way to search in description field. Search terms are pretty basic like rule name or server name. But Operations Manager Shell comes to the rescue. Here is how you can search a specific account in SCOM alerts.

Type the following command in Operations Manager Shell (poweshell).

get-alert | where {$_.Context -like "*username*"} | fl Parameters

e.g., get-alert | where {$_.Context -like "*JohnDoe*"} | fl Parameters