Locked out users

Posted July 5th, 2012

We get a lot of questions about Active Directory users who are (suddenly) locked out. There are two scenario’s in which users are locked out:

1. It happens regularly, for instance, 10 times a day.
2. The number of locked out users suddenly spikes, for no apparent reason.

Starting with the first scenario. Lock outs usually originate from cached credentials, meaning that an end user has changed his or her password, but has a persistent drive mapping under his or her old credentials, or is still logged on to a second computer with the old credentials, or scheduled jobs are running under an account and the password on the job hasn’t been reset. Cached credentials can be tricky, because access tokens can be appointed to a lot of different resources (applications, drive mappings, TS sessions, principally anything that needs authentication).

The second scenario can be caused by a number of different reasons, all of which are ‘serious’:

- Brute force attack. Someone is trying to hack into your AD by trying out a list of passwords.
- Broken replication. The replication between your DCs is broken, because of which password resets are not synchronized between your DCs.


Solution

First, make sure that failed logon attempts are logged to the event viewer on your domain controllers (all of them, because which DC handles an authentication request depends on which one responds first). Only choose failed logon attempts, because if you also log successful logon attempts, your eventviewer log file will explode in size.

Then, in the event viewer you can see from which workstation a failed logon attempt originates (if it originates from computer in your forest). You can see whether you’re likely dealing with a cached credentials problem, or, for instance, with a brute force attack.

aducADMIN+A Powerfully Simple Active Directory Management Tool.

Download A FREE Trial

We're a software company based in Amsterdam that focuses on large-scale network management software. aducADMIN+ is our flagship product - but we also manage networks of over 20,000 users.

Vision It has been developing custom software solutions since 2009 and launched aducADMIN+ in 2010 to help us save time and money managing our own networks.

Developing software out of amsterdam, The Netherlands with installations in over 50 countries around the globe.

Telephone

+31 20 893 2017

email

info@aducadmin.com

blog

http://www.aducadmin.com/blog