Troubleshooting Windows Domain Account Lockouts
Finding out why a user is continually being locked out on a particular day can be a challenge. A person may have logged onto a computer a few weeks ago but has forgotten about it. Identifying where rogue session is can be difficult. On a more sinister note, a user might be locked out from time to time and know that they didn't type a password incorrectly and pinpointing the source of these lockouts is important. The built-in filtering on the Windows Event Logs, while useful in some circumstances, isn't always the most useful at helping out with this.Worry not! Microsoft provide a number of tools to assist with this. You can download them from here and the two that I'm going to talk about are Eventcomb and LockoutStatus. These two tools do two different jobs and can be very useful individually or together.
http://www.microsoft.com/en-us/download/details.aspx?id=18465
Eventcomb
Eventcomb is a event log interrogation tool that will look for events that match your criteria and output them to a file.To search for account lockouts, use settings similar to below. You can fill in most of these details by going to Searches, Built In Searches and selecting Account Lockouts. Note that if you are searching on DCs that are newer that Windows Server 2008, you will need to add event IDs 4740 and 4625 to the built in list of Event IDs.
If you right-click in the window "Select to search/right click to add", you can choose all DCs in your domain.
Lockout Status
Lockout status is a handy tool for seeing when an account was locked out, what domain controller it was locked out on and when passwords are due to expire. OK, the password expiry might need a bit of mental arithmetic by adding number of days in your maximum password age policy to the 'Password Last Set' field, but it's a great help.
Don't forget logparser. Supports SQL queries on event logs and other structured text files
ReplyDeleteCheers Colin. I didn't know about that, but I feel an upcoming blog topic stirring ;-)
Delete