How to find the account lockout source?

The account lockout source can be identified, by enabling

  • NetLogon Logging
  • Security Auditing
  • Kerberos Logging

1)NetLogon Logging:

NetLogon Logging is enabled in the Primary Domain Controller(PDC).It is used to capture NetLogon and NTLM events.

Using NetLogon Logging ,we can extract the following information:

  • Number of unsuccessful/invalid logon attempts by an user in a certain time period.
  • You can also differentiate,whether a lockout is caused by a person,process, program, or script that is sending incorrect credentials.
  • It also provides a complete picture of all computers that are involved in the account lockout.

2)Security Auditing:

In order to effectively troubleshoot the account lockout scenario, we have to enable domain level auditing for certain specific events such as ,

Audit Settings Events
Account Logon Events Failure
Account Management Success
Logon Events Failure

After enabling auditing, account lockout events will be created in the security log for each invalid logon attempt(logon failure) and account lockout.Each specific events are tagged with the specific event id,so that it reduces the burden in analyzing and solving the account lockout issues. Some of the account lockout event ids bearing the account lockout source information are 529, 644, 675, 676, and 681(Windows Server 2003).

3)Kerberos Logging:

If account lockouts involve Kerberos clients , then you can enable Kerberos logging on those client computers. Once Kerberos logging is enabled, certain events will be logged when an user account invokes invalid login attempt by providing incorrect password, and during account lockout.

Incorrect Password: This event is logged when an incorrect password is provided by an user in a Kerberos client,during the authentication request.

Account Lockout: This event is logged when an user account is locked out in a Kerberos authentication enabled client system.