04 February 2011

How to find out why your account keeps getting locked with Windows Server, TMG and Webspy

It has to rate as one of my all time most frustrating and annoying experiences. Having your account locked can be debilitating, rendering you useless until someone is kind enough to unlock your account, or worse yet you have to wait for the lockout time to expire.

Depending on the domain policy the amount of incorrect attempt and lockout duration will vary.  Either way you often find that no matter where you look you cant figure out from where and why your account is getting locked.

The way to find the locking machine is to go to the locking authority.  Active Directory.   If you investigate the Security Logs on the active directory servers you will find the lockout events.

On a Windows 2003 domain controller the event ID is 644. Note this is a successful action as the domain controller was able to successfully lock the account.



The field information you want to know is:
Target account name - the AD account name
Caller Machine Name - the machine name from where the account was locked out.


On a Windows Server 2008 and 2008 R2 domain controller the event ID is 4740


Once you have identified that machine locking your account you can check out the machine and see what's up.  In many cases it is a machine you logged onto and lever logged off from.


The other problem you may have is that your account is getting locked by another device on the internet.  This is normally a smart phone attempting to sync email.  Checking out the AD log will only reveal the reverse proxy server as the culprit  If you are using TMG or ISA you are in luck.

To find out where the problem lies you will have to analyse the Forefront Threat Management Gateway logs

Set up a filter for Logging and reporting.

Specify the Username in the domain\username manner
If you know what the offending rule might be then add that to the filter too.

I prefer to run the log for  "Last Hour" to catch the lockout event that happened in the past.


What you would expect to see is not a lockout event but a failed authentication event.  Like the screen shot but with RED not green.


If this still does not give you an idea of where to look you can further analyse the TMG or ISA logs with WebSpy Vantage.  Here you can find the user agent, and this should give you a very good idea of where the connection attempt is coming from.

Import the logs into a storage
Create a new analysis
Expend down to the username
Then expand the user agent


You can see that all the requests for that user from the internet coming in was made from his i-Phone.

Hopefully this helps someone to permanently resolve a account lock out problem.

Update
For more info check out http://fixmyitsystem.com/2011/04/scripts-to-see-where-your-account-is.html


Update 2

TMG SP2 adds functionality to display more information for accounts lock out

http://blogs.technet.com/b/keithab/archive/2012/05/01/identifying-failed-logon-attempts-that-are-causing-account-lockouts-in-threat-management-gateway-2010.aspx

3 comments:

Anonymous said...

This just saved my butt. Thank you for the help!

Anonymous said...

Thanks very much , a great help

Enache Gabriel said...

Thank you, mate! Great job!

Post a Comment