Account lockouts are an important part of preventing security breaches, as they prevent users with malicious intent from attempting to guess passwords. You can configure Windows Servers using Group Policies to respond to this type attack by locking the user account in question.
The “Account Lockout Policy” setting determines the threshold that needs to be met in order to lock the account. This setting can be configured in the following location in Group Policy Object Editor:
Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policy
Once a user logs a request that their account has been locked, you, as a system admin, have to determine why the account lockout occurred. To track, you must find the relevant logs and draw information from them. Once you have found the cause and taken appropriate action, you can unlock the account or reset account’s password, so that user can continue to work as normal.
How to track User Account Lockouts?
LepideAuditor have multiple predefined reports to show all changes made in Active Directory. “User Status Change Report” shows all changes made in the status of user accounts such as lock, unlock, enable, or disable.
How to troubleshoot User Account Lockouts
You can use LepideAuditor to track Active Directory account lockouts and troubleshoot them. The below image shows the account lockout report. Information such as User Name, when the account was locked out, and from which system is all available in separate columns.
When you right click on a record, three options are available in the context menu:
- Unlock: Use this option to unlock the account.
- Reset Password: Use this option to reset the account’s password.
- Investigate: Use the third option to inquire into the account unlock.
Unlock User Account
When you click the “Unlock” option in the context menu, a message appears on the screen – “Unlocking user account. Please wait…”.The following image shows the account unlock message. Once the process is complete, the user can logon using the same account:
When you select this option, the “Reset Password” dialog box appears:
When you select this option from the context menu, “Lockout Investigator” window appears on the screen.It lets you investigate what all objects, tasks, sessions, or services will be impacted because of selected user’s account lockout.
The computer will be selected by default here, still you can change it to view the list of impacted things on a particular computer. You can click browse icon and type the name of computer you want to investigate. Once done, this wizard shows the following information:
- COM Objects: It provides the details of all COM objects in which the concerned account is being used.
- Logon Sessions: It provides the details about the logon sessions created using the selected account. These sessions will be impacted because of the lockout of this user.
- Mapped Network Drives: It provides the details of all mapped network drives available on the selected computer, which are created using the login credentials of the locked out user.
- Scheduled Tasks: It provides the details of all scheduled tasks available on the selected computer, which are created using the login credentials of the locked out user.
- Services: It provides the details of all services available on the selected computer, which are managed to run using the login credentials of the locked out user.
As shown in the screenshot above, the account status is “locked, ” and all the available information is displayed in the table at the bottom of the page. If you want, you can save the report to the local disk in PDF, CSV or MHT formats.
The process of tracking user account lockouts with Lepide Active Directory Auditing Solution is very straight forward, as you can see all the locked-out accounts in a single report and troubleshoot them from there. Download the free trial to see for yourself how easy it is to use LepideAuditor.