Account lock-outs on AD.

Bleek · 18 Jan 2010 at 11:12

Our support desk has been experiencing a number of consistant account lock-outs for some time now, it appears to be the same users all the time of which there are around 10.

The other 400+ users don't experience the problem.

This is a Windows 2003 AD Domain with around 55 DC's, the above users with problems aren't using the same DC to authenticate.

Any ideas where to look or what to look at because event logs don't really reveal anything and our Windows engineers have run out of ideas? :confused:

ethos · 18 Jan 2010 at 11:32

I assume you're logging login attempts on the DCs, in which case is there any information to go on there?

GhostlyPea · 18 Jan 2010 at 11:34

Had a similar thing with accoutns being locked out in this situation as they were trying to authenticate with a proxy server on another domain. This kept failing transparently and locked the accounts out

- Pea0n

Bleek · 18 Jan 2010 at 11:47

Pea0n said:
Had a similar thing with accoutns being locked out in this situation as they were trying to authenticate with a proxy server on another domain. This kept failing transparently and locked the accounts out

- Pea0n

How did you go about diagnosing and fixing that, it could possbily be happening to us as it does seem related to intranet access (i.e. that's the first thing they lose and hence realise they're locked out)?

Baz · 18 Jan 2010 at 11:52

Could be a virus as well, Conficker locks out accounts

Bleek · 18 Jan 2010 at 11:54

I'd be surprised if Kaspersky Enterprise didn't pick that up?

We've had a suggestion that setting the 'Account Lockout Threshold' to 3 is too low as Microsoft recommend 10?

mr.bond · 18 Jan 2010 at 12:32

Mapped network drives with predefined usernames and passwords for the accounts being locked out is a comon one.

UKDTweak · 18 Jan 2010 at 12:36

The same ten users keep locking out their accounts... sounds like user error and account sharing?

I use a little code at the end of my login scripts that writes the username, PC, IP, date and time to a .txt file on a fileshare, you can then look through the log to see if the same account has been logged into on more than one PC at a time.
On top of that, we have a Splunk server that will report failed login attempts on every box on the domain, so between the two, I can find out if the account is being missused..

Also, checkout the Account Lockout tools provided by Microsoft, you can quickly see which DC the account is locked out on...

http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

GhostlyPea · 18 Jan 2010 at 15:11

Bleek said:
How did you go about diagnosing and fixing that, it could possbily be happening to us as it does seem related to intranet access (i.e. that's the first thing they lose and hence realise they're locked out)?

IIRC it was showing up as authentication failures in the event log of either one of our DCs or the ISAserver itself, I can't remember which.

The problem we had was that the ISA server was reaching the limit we set for the amount of concurrent connections. We upped the limit to reflect the actual number of connections being recieved.

- Pea0n

Bleek · 18 Jan 2010 at 15:20

the_chicco said:
How many DC's??!

I take it that it's part of a far larger network / domain / schema?

One Forest, one domain, 40+ sites with typically 1 DC, 3 DCs at HO, 2 at DR. Around 300 Windows servers in total.

s0ck · 18 Jan 2010 at 17:43

Baz said:
Could be a virus as well, Conflicker locks out accounts

Or Conficker

Deathwish · 18 Jan 2010 at 17:48

You have 400 users and 55 DCs?

Do you have ActiveSync / Exchange? We usually find that users change their domain password but forget their PDA.

Baz · 18 Jan 2010 at 17:58

Bleek said:
One Forest, one domain, 40+ sites with typically 1 DC, 3 DCs at HO, 2 at DR. Around 300 Windows servers in total.

Ouch, thats a lot of DC's :eek:

hoppyintheuk · 18 Jan 2010 at 19:33

Baz said:
Could be a virus as well, Conficker locks out accounts

I've seen Conficker cause havok on peoples networks. Make sure you antivirus/windows is uptodate, thats for sure.

#Chri5# · 18 Jan 2010 at 20:44

I've seen this on an AD domain when one Windows XP PC had a set of cached credentials hidden away under Users in Control Panel. The cached credentials were out of date, but for some reason the machine would try to use them for something and then lock out the account.

rz30 · 18 Jan 2010 at 22:23

Loads of similar on google.

Bleek · 19 Jan 2010 at 08:54

Deathwish said:
You have 400 users and 55 DCs?

Do you have ActiveSync / Exchange? We usually find that users change their domain password but forget their PDA.

Remote sites are WAN linked over 1mbit, 10mbit or 100mbit 1-to-1 lines, each satellite office has it's own DC which doubles as file and print.

Exchange 2003 yes, ActiveSync no. We use BES.

Bleek · 19 Jan 2010 at 08:55

Baz said:
Ouch, thats a lot of DC's

Too many DCs spoil the broth?

The plan is to upgrade the domain to 2008 with RO DCs at remote sites.

Bleek · 19 Jan 2010 at 08:56

hoppyintheuk said:
I've seen Conficker cause havok on peoples networks. Make sure you antivirus/windows is uptodate, thats for sure.

I'll have a word with our security team but I do know they push out new AV the day it's released, which is practically every other day!

Same goes for patching which is handled by a third party app but managed by security team.

Bleek · 19 Jan 2010 at 15:32

We may have found something, it seems that Acrobat updater is running on the user PCs with the problem. Perhaps it's an account caching issue with this updater? We've disabled it for now and will see if it makes any difference.