Account lockouts are one of the common problems that IT administrators have to deal with. As common as it may sound, the total loss of productivity in the organization due to account lockouts is a big issue when you quantify it in monetary terms. Employees logging on to the system finding that their account has been locked can do nothing except find a means of informing administrators and waiting for their account to be unlocked. Administrators get dozens of such account lockout issues on a daily basis, depending on the size of the organization. They hardly have time to solve these issues on their own and it is usually delegated users to take care of the issues on their end. In the process, taking time to analyze these account lockout issues in detail to find out how they can be minimized or prevented in future often gets overlooked.
Common causes of the account lockouts in Active Directory
Some programs may store user credentials and use them to log on to a system to perform a certain task. In the meantime, if a user changes their password and doesn’t update it in the program, it may attempt to logon to the system using an old password and eventually the account may get locked out.
Computer services and Scheduled tasks may also end up locking a user account in a similar fashion. Drive mappings using expired credentials and Active Directory replication issues can be other causes of the user account lockouts.
A user logging on to multiple computers may change their password on any one system. Some programs running on other computers might be using this credential to access network resources and may fail to update it when a user changes their password on another machine; this is another typical scenario that may result in account lockouts.
Troubleshoot Account Lockouts
Microsoft offers a number of Account lockout and management tools to deal with such issues. Below is a brief introduction to a few of them. LockoutStatus.exe provides some information into locked out accounts such as DC name, Last Bad Pwd, Pwd last set, Lockout Time etc. It comes with ALTools.exe package and can be downloaded and installed from Microsoft’s website. ALockout.dll can be helpful in analyzing the problem and finding out the cause of the account lockout. Such as which particular program caused the lockout. ALoInfo.exe lists all passwords that are recently going to expire and can minimize account lockouts due to password termination. EventCombMT.exe can be used to gather log files related to account lockouts from multiple computers to a centralized location. NLParse.exe can be used to parse the big log files for specific account lock-out events. In spite of having a range of tools to deal with account lockout issues, administrators find it difficult to deal with them using these native tools. Why?
Firstly, most of them could be used only after the event has already taken place. So, no proactive ways of dealing with the issue using these tools. Secondly, administrators must run these tools on each DC separately to gather logs; there is no centralized platform to look after all domains in the network. Thirdly, there is no single tool with a dedicated interface to offer a comprehensive solution to the problem. Each tool must be run separately and information gathered from one tool must be fed into the next manually. Next, these tools lack the option to deal with such issues in bulk; you have to solve each account lockout issues individually. And finally, administrators or privileged users must run these tools on their own, no provision to delegate it to end users through web browser interface.
LepideAuditor for Active Directory is a secured solution that can take care of account lockout issues and also offers lots of functionalities to audit and track changes in Active Directory. It provides list of locked accounts so that administrators can unlock them easily. You can also investigate the reason of frequent lockouts.