Troubleshooting account lockouts in Active Directory
Vložit
- čas přidán 4. 07. 2024
- In this video, I'll talk about how you can troubleshoot account lockout issues in Active Directory and find the source of account lockouts such as computers, programs or other types of devices.
I'll show you how can use Security Logs in Event Viewer to view the lockout events, enable additional audit policies on default domain controller policy, debug using Netloggin logging, Powershell Script Account Lockout Status (GUI tool) to find the source of account lockouts.
Table of Contents:
00:00 - Intro
00:25 - Understanding Account Lockout Policy in AD
04:00 - How to check if user accounts are locked in AD?
06:20 - Unlock User Accounts in AD
07:17 - Troubleshooting account lockout events using Event Viewer
12:21 - Extend the size of security log in Event Viewer
13:32 - Find unknown computer/device in Security Events (Event ID 4770)
17:04 - Event ID 4625 | NTLM Authentiction
18:30 - Using NetLogon debugging
20:06 - Using PowserShell Script on PDC Emulator to find the source of account lockouts
21:09 - Using PowerShell script on all domain controller to find the source of account lockouts
21:26 - Using Account Lockout Status to find the source of account lockouts
23:17 - Troubleshoot using Process Tracking to find the process locking the user accounts.
The below PS script finds the events with an Event ID 4740 and returns the lockout time and the name of the computer from which it occurred:
$Usr = ‘Michael.Greene’
$Pdc = (Get-AdDomain).PDCEmulator
$ParamsEvn = @{
‘Computername’ = $Pdc
‘LogName’ = ‘Security’
‘FilterXPath’ = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Usr']]"
}
$Evnts = Get-WinEvent @ParamsEvn
$Evnts | foreach {$_.Properties[1].value + ' ' + $_.TimeCreated}
If you want to search all domain controllers, then you can use the below script in PowerShell.
$Usr = ‘username1’
Get-ADDomainController -fi * | select -exp hostname | % {
$ParamsEvn = @{
‘Computername’ = $Pdc
‘LogName’ = ‘Security’
‘FilterXPath’ = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Usr']]"
}
$Evnts = Get-WinEvent @ParamsEvn
$Evnts | foreach {$_.Computer + " " +$_.Properties[1].value + ' ' + $_.TimeCreated}
}
Download Account Lockout Status - www.microsoft.com/en-in/downl... - Jak na to + styl
Hey guys, I just wanted to add -
Using computer management, my manager and I attempted to determine the reason behind the user's continuous AD account lockouts, which struck us as peculiar. Through a thorough joint investigation, we discovered that the user had an active session on another computer with certain applications running in the foreground. To address the problem, we requested a colleague's assistance in locating these workstations and completely shutting down the specific PC causing the issue. Once this was done, I tested the login credentials to confirm if the problem persisted, and fortunately, the solution worked. Notably, the event log did not show any security-related entries, highlighting the importance of identifying the root cause before drawing conclusions. If anyone encounters a similar issue, I would strongly recommend taking the time to pinpoint the source of the problem before taking any hasty actions.
Thanks,
AJ
Great video and very very important information, wish to see more videos regularly related to all kinds of scenarios for Active Directory troubleshooting and Windows Server troubleshooting scenarios
Very impressive. Covered a lot of different topics and super helpful. I subscribed.
That's quality work! Subscribed.
Excellent work!
Most useful video brother. Thanks a lot
Happy to help
Awesome video bro
Today I spent 30 mins time wirthly😊
Thanks
Welcome
Hello Sir, is it possible to know which service/executable file caused the failed event from the caller computer?
In live infra there were too many users so that editing group policy will apply to other users too.
What solution we can apply for a single user in an infra which does not affect the other users.
If the client address is the address of the DC with fsmo roles, what does that mean when the user's lockout is not available under event ID 4625?
💯
Has anyone been able to use the lockoutstatus tool successfully from command line?
hi can you enter the command for this 04:00 - How to check if user accounts are locked in AD?
How can we find sources when caller computer name is empty?
I see you explain this, thank