Searching for event ID 4740 alone will give you all the account locked out logs on the domain controller but not the failed attempts to log in.Įvent ID 4771 is logged when an there is a Kerberos pre-authentication failure: The 2 event IDs we’re interested in are:Įvent ID 4740 is logged when an account is locked out: Now that we have the domain controller, type of logs and events to search for, all that’s missing is to list the Event IDs we’d like to match. Since we’re going to use this parse the logs for security events, uncheck System and Error then check the following: In the Add Server window’s Server Name field, type in the domain controller’s name: Right click in the Select To Search/Right Click to Add window and select Add Single Server: Once you know which domain controller you’re going to parse the logs, open up eventcombMT.exe in the ALTools folder: Which domain controller you choose doesn’t really matter but I prefer to choose the one that is not the PDC Emulator because all login events get forwarded over there and there will be more logs to traverse through: As shown in the screenshot below, you can see that there are 2 domain controllers with a value in the Bad Pwd Count field.
LOCKOUT TOOL MICROSOFT PASSWORD
The tool will then list the account’s status on all of the domain controllers in the domain as well as where the bad password was logged. In the Target User Name field, type in the account that has been locked out and Target Domain Name field, type in the appropriate domain: The way I’m going to be mimicking the account lockout is to RDP over to DC01 and continuously use the wrong password for my “ OCSTEST1” account to log in:įire up the “ LockoutStatus.exe” tool from the ALTools folder on the domain controller:įrom the opened LockoutStatus tool, click on File à Select Target…:
LOCKOUT TOOL MICROSOFT DOWNLOAD
You can download the Account Lockout and Management Tools here: While I was not able to use the tools to troubleshoot at the desktop level, I went ahead and used the server applications and this post will demonstrate the way I used them. The tool that I used was the Account Lockout and Management Tools from Microsoft and as some of you may already know, this package contains multiple small applications to assist in troubleshooting account lockout issues but because it was developed quite some time ago, the Alockout.zip and AlockoutXP.zip packages that is used to troubleshoot desktops are not compatible with Windows Vista or 7.
LOCKOUT TOOL MICROSOFT WINDOWS 7
Remote Country Office Domain controllers: RMDC01, RMDC02.ĭesktop OS: Windows 7 or Vista (No XP or 2000) The site that we’re having problems with is the remote office site. Logical Topology: 1 forest, 1 domain (domain.internal) The environment isn’t extremely complex but I’ll quickly outline it here: I have yet to determine what the issue is after reviewing event logs for a few days but the whole exercise served as a great refresher for something I haven’t done for a long time.
It’s been a busy month with multiple projects on the go and aside from the new deployments I’ve been doing, I’ve also been at a client’s office troubleshooting some account lockout issues in their remote office.
0 kommentar(er)
