Account lockouts are a common problem experienced by Active Directory users. They arise because of Account Lockout Policies configured in the default domain policy for the Active Directory domain. In this article, we will go through some of the root causes of the account lockouts and the way to simplify the troubleshooting process.
Common Causes of Account Lockouts
Mapped drives using old credentials:
Mapped drives can be configured to use user-specified credentials to connect to a shared resource. Afterwards, the user may change the password without updating the credentials in the mapped drive. The credentials may also expire, which will lead to account lockouts.
Systems using old cached credentials:
Some users are required to work on multiple computers. As a result, a user can be logged on to more than one computer simultaneously. These other computers may have applications that are using old, cached credentials which may result in locked accounts.
Applications using old credentials:
On the user’s system, there may be several applications which either cache the users’ credentials or explicitly define them in their configuration. If the user’s credentials are expired and are not updated in the applications, the account will be locked.
Windows Services using expired credentials:
Windows services can be configured to use user-specified accounts. These are known as service accounts. The credentials for these user-specified accounts may expire and Windows services will continue using the old, expired credentials; leading to account lockouts.
The Windows task scheduler requires credentials to run a task whether the user is logged in or not. Different tasks can be created with user-specified credentials which can be domain credentials. These user-specified credentials may expire and Windows tasks will continue to use the old credentials.
The following Active Directory attributes determine how many passwords change attempts a user can make in a given period of time:
maxPwdAge, lockoutThreshold, lockoutObservationWindow, and lockoutDuration.
If password is set to never expire or account lockout is configured as ‘not to expire,’ the lockout will not happen.
How to Resolve Account Lockout Situations
Windows security logs go a long way to resolving account lockouts, however extracting account lockout information from Windows Security Logs is not always a reliable process. Account lockout information can be retrieved from the PDC emulator DC as it is responsible for processing lockouts. But, the PDC emulator also processes a lot of other events for the entire domain; including authentication failures and password changes. In large environments where there lots of users these event logs will be collected on the PDC emulator and a large volume of logs will collect. Subject to the size limit of the event logs, you may find that the old logs have been purged and the only available logs are those from the last few hours.
To simplify the process of determining the account lockout status, Microsoft offers the Account Lockout Status (LockoutStatus.exe) tool which is a blend of command-line and graphical tools. With this tool, every DC in the target user account’s domain that can be contacted is searched for.
To download and run the tool, follow the below given commands:
1. Run the installer file to install the tool
2. Go to the installation directory and run the ‘LockoutStatus.exe’ to launch the tool
3. Go to ‘File > Select Target…’ to find the details for the locked account
4. Go through the details presented on screen. The DC with the large number of bad password count was probably authenticating DC at the time of lockout.
5. Go to the concerned DC and review the Windows security event log. For Windows Server 2008, the event ID is 4740, and for Windows Server 2000 and 2003 the event ID is 644. Windows PowerShell command provided earlier in this article too can be used. In the event details you will find the ‘Caller Machine Name’ where the failed authentication attempt happened.
If you’re experiencing a high number of account lockouts in a secure environment it would indicate an imbalance between security and convenience. Every organisation needs to determine an appropriate compromise between security and convenience. To do this, they will need to consider the sensitivity of the information in their settings, the risks they can bear and their users’ interests.
Third-party solutions, such as Lepide Account Lockout Examiner Freeware, can help navigate to the root cause of account lockouts faster and fix them easily.