Wednesday, June 10, 2020

Troubleshooting Account locked out; EventID 4740,4625,4771

Troubleshooting Account locked out; EventID 4740,4625,4771

Troubleshooting Account Lockouts has become an IT admin routine nowadays;
You can find more possible root causes in our Account Lockout Troubleshooting Guide – https://community.spiceworks.com/how_to/113387-account-lockout-troubleshooting.

Possible root causes:
Persistent drive mappings with expired credentials
Mobile devices using domain services like Exchange mailbox
Service Accounts using cached passwords
Scheduled tasks with expired credentials
Programs using stored credentials
Misconfigured domain policy settings issues
Dsconnected Terminal Server sessions
Unix programs
Kerberos pre-authentication failures
Event IDs used to troubleshoot account locked out: 4740, 4625, 4771 (kerberos pre-authentication failure)
List of free tools to help the community with Account lockout root cause investigation and here it is:
1) Netwrix Account Lockout Examiner. As a disclaimer, this is our free tool and you probably know it very well, I want to keep your eye on its main features, may be you didn’t know something about it:
a. Account lockout investigation – It is the main feature that helps you to find out the account lockout root cause, it scans the logs related to locked accounts and gives you the info about IP address or computer name from which failed logons came from, it also examines mapped drives, services, RDP sessions or scheduled tasks for bad credentials.
b. E-mail alerts – You can alert your IT admins or help-desk staff with e-mail received after an account lockout happens so even before end users pick up the phone, help desk personnel already have all the details they need to quickly troubleshoot account lockouts.
c. Helps you to unlock accounts faster through a web-based console or even via email sent from your mobile device.
2) Account Lockout Status Tools. This is a pack of tools from Microsoft that consists of several separate ones, that will help you with Account Lockout troubleshooting.
a. EventCombMT.exe collects and filters events from the event logs of domain controllers. This tool has a built-in search for account lockouts, it gathers the event IDs related to a certain account lockouts in a separate text file.
b. LockoutStatus.exe examines all DCs in a domain, letting you know when the target account last locked out and from which DC. In addition, it provides the locked-out account’s current status and the number of bad password attempts that have been made.
c. Netlogon logging is used for tracking Netlogon and NT LAN Manager (NTLM) events. Enabling Netlogon logging on all DCs is an effective way to isolate a locked-out account and see where the account is being locked out. Although Netlogon logging isn’t part of the Account Lockout and Management Tools, NLParse.exe is used to parse the Netlogon logs—and NLParse.exe is one of the account lockout tools.
d. Acctinfo exposes more properties in ADUC (Active Directory Users and Computers), for example lastLogon and Password Expires.  Specifically, with this add-on you get an extra tab in ADUC called Additional Account Info it helps isolate and troubleshoot account lockouts and to change a user’s password on a domain controller in that user’s site.
3) ADLockouts. This simple utility tries to track the origin of Active Directory bad password attempts and lockout. It can search each domain/domain controller for failed logons, then parse any related events and work out where the origin of the lockout came from. After that it analyzes each machine and outputs what common causes of account lockouts are present, for example mapped drives, old rdp sessions, scheduled tasks and so on.
4) Powershell. Using powershell you can easily filter the event log for events that are related to a certain account and try to figure out what caused the its lockout.
a. Here is the powershell code with Get-EventLog cmdlet:
Get-EventLog -LogName Security | ?{$_.message -like "*locked*USERNAME*"} | fl -property * 
You can also use Get-UserLockoutStatus function for troubleshooting persistent account lockout problems. The function searches all domain controllers for a user in a domain for account lockout status, Bad Password Count, Last bad password time, and When password was set last, you can find the full code here – https://gallery.technet.microsoft.com/scriptcenter/PowerShell-function-for-bc5f8b56

No comments:

Entertainment