How to Track Down Active Directory Account Lockouts

Active Directory account lockouts can be annoying or cause complete workstoppages in some cases. I have seen constant account lockouts (every second or two) and sparatic lockouts that may happen once or twice a day. Either way we need to come up with a way to figure out what is causing these lockouts. Here is a guide to track down the source of these lockouts

Troubleshooting Account Lockouts

Download and Install Microsoft’s Account Lockout Tool

http://www.microsoft.com/en-gb/download/details.aspx?id=15201

Launch the Account Lockout Tool

When you install the lockout tool, it does not create a shortcut so you will need to go find it.

Go to C:\Program Files (x86)\Windows Resource Kits\Tools on 64 bit PCs or C:\Program Files\Windows Resource Kits\Tools on 32 bit PCs

2016-07-15_15-39-35

Search for Lockouts and Bad Password Attempts

Now that you have the lockout tool launched, we will need to search the Domain Controllers for lockouts.

Go to File > Select Target

2016-07-15_15-41-53

Now Enter in the user’s username and domain in the target username and domain fields. Check alternate credentials to use an admin account that has rights to search the directory. Click Ok and you should see the results like the screenshot below.

2016-07-15_13-45-44
Now that we can see the results. We want to look at the “Bad Pwd Count” and “Last Bad Pwd” fields. You will look for the most recent “Last Bad Pwd” and focus on that domain controller. In my example the DCs names have been taken out to protect their identity, but you will see each DC in your domain listed. Once you find the one with the latest “Last Bad Pwd” you will focus on that DC.

2016-07-15_13-57-00
Examine the Logs

Now you want to connect to the Event Viewer on the DC with the latest “Last Bad Pwd”. You can do a Remote Desktop Connection or you can just simply connect using Event Viewer.

2016-07-15_15-22-42
Once you are in Event Viewer, you will want to take a look at the Security Logs. The easiest way to go here is to use the filter on the right side of your screen and filter for Event ID 4771 on Server 2008 and later. If you are still using Server 2003 then shame on you!, but you will need to search for Event ID 529. Failure code

2016-07-15_13-48-27
Once you filter the log you should be able to use the time from the Account Lockout tool to find your entry. Once you find it you will notice the username and password listed

2016-07-15_13-50-00

Scroll down and verify the Failure Code of 0x18. You will also see the Client IP address listed. Once you find the client IP address, you can go on the client PC and make sure to clear out anything on that PC that may be using old credentials.

2016-07-15_13-53-01

 

That is it. You found out what device is causing the lockout be vigilant and update all the credentials on this PC/Device.

I have been an IT professional for 12 years now. I have been building websites for 15 years, and I have done Social Media management for 5 years. I am currently training to do ethical hacking using penetration testing and various tools. I am hoping to be a certified Ethical Hacker by the end of 2016.

Comments (0)


menu2