08 June 2011

Fixing Account Lockout - finding the Domain controller

In the articles below I covered some info on how to trace back the offending login machine.  But in an environment with multiple domain controllers you don't always know against which domain controller the invalid login attempts are happening.

http://fixmyitsystem.com/2011/04/scripts-to-see-where-your-account-is.html
http://fixmyitsystem.com/2011/02/how-to-find-out-why-your-account-keeps.html

One of out technical guy showed me the Account Lockout Status resource kit tool.  It is old but still works in a Win 2008 R2 domain.  http://www.microsoft.com/downloads/en/details.aspx?FamilyID=D1A5ED1D-CD55-4829-A189-99515B0E90F7

It works very simply.  Run the tool as a domain admin or specify a domain admin when specified a target.  From the File menu click "Select Target" specify the username that keeps getting locked out.

It will now query all the reachable domain controllers and check for the account status.  For me the best column to look at is Last Bad Pwd, this will show where the incorrect authentication request occurred.

Once you have the domain controller you can run the scripts or check the event logs as described in the above articles.


In practice this is the same as enumerating the current log on server for the machine which you would do from a command prompt with:

echo %logonserver%

No comments:

Post a Comment