Greetings,
We are suffering from several users account lockouts on our domain, and we cannot find a solution.
I've read most of the usually linked threads about this, such as this one, this one or this one, so PLEASE do not refer to them and tag it as a solution cause it is not.
Our environment:
Windows 2008 domain level (Win2008 R2 DCs), 2500 users, 3 DC (one of which is at a remoter site), and 13 RODC's. A lot of users get locked frequently and most of the time, we are able to figure out where from, and a reset solves the normal issue. But a few of them also get locked, among which the Domain Administrator, and we don't know why or from where.
Users must change password every 45 days. Lockouts don't necessarily happen right next after a password change.
10 consecutive bad passwords bring out a lockout.
I am investigating one user particularly.
What is happening:
- This user's account is being locked out frequently since early last week. There are no standard time frame; sometimes it's every 10 minutes, sometimes nothing during a day, sometimes once every two hours.
- We have a SCOM custom monitor which gathers all the 4740 events from all DCs, and they are reported correctly. Of course, for these few users, theCaller computer name is empty.
- I don't care WHY these lockouts can happen, I need to know WHERE they are originating.
- Some people use Linux machines, smartphones, tablets, and various other possible devices. This special user I'm working on, however, doesn't have any of these (he says...) and only connects to a Windows 7 laptop, and remotely on a Windows 2008 R2 SQL Server.
- We used an external tool called Rebasoft, which allows to track some user's activity on the network. Unfortunately, for the moment it only tracks the "last seen" (IP and MAC-wise). Every time we check, the user's laptop IP and name is reported.
- We have check everything I could think about on the PCs : Scheduled tasks, services, processes, and nothing unusual or using deprecated credentials is to be seen.
- We have provided the user a new laptop with a brand fresh install of Win 7 Enterprise, which is deployed from an image used by ~500 people, and only THIS user suffers from this problem. And yes with the new laptop the problem arises again. And yes on Rebasoft tool, the new IP and name are reported.
- I have downloaded and am using the ALtools suite; LockoutStatus.exeallows me to see from which DC the problem happens and almost live, I can see the "Bad Pwd Count" value growing from 0 to 10 (our lockout treshold) with refreshing All Dcs.
- On Lockoutstatus.exe, the "Orig Lock" is the DC on which the lock is applied on the AD, but doesn't give the source computer.
- Last Friday, nothing happened while the user had his laptop online and connected to the network. But today for instance, it's a lockout every 20 minutes, which drives us crazy.
My thoughts on the issue:
- I don't entirely trust the user who claims they have ever connected to a browser from some mobile device. This mustn't be one of hisown devices, maybe a colleague's one on which he tried to connect before his last password change, or whatever.
- It may be of course a user with a similar login (we use 5-char account names, so among 2500 people, sometimes you have close accounts) trying to connect using wrong credentials and not caring / noticing.
- All leads seem to point to the user's own laptop, I thought there were some kind of hidden process, taks or something, but as soon as a brand new/fresh PC is provided, the problem persists. This tends to indicate that it comes from elsewhere.
My questions:
- Is it possible that somehow, an AD account gets "corrupted" and auto-locks, wherever it logs from on the Domain ? Recreating this user's account would be very tedious PLUS, if we're in the case of a mobile or linux trying to use the user name, a new SID won't change anything and the problem would persist. Plus, the lockout would thus be happening on a regular Windows machine, whose name should appear in theCaller Computer name of the id4740 event.
- HOW ON EARTH can I get a source IP / MAC / whatever, from an account lockout? I KNOW the excuse from Microsoft is "if the computer is impossible to be identified through KDCetc., we cannot guarantee that there isn't an IP spoofing so the caller computer name of the id4740 event is empty". I don't care if it is a spoof or not, I want an IP or MAC to investigate!!
Again, I have read all the other topics on the matter so please don't copy-paste the same standard answers.
I have used ALTools, I use SCOM, I checked eventlogs, I even use third-party software. I just need to know HOW I can be sure from where the account lockout originates, and also if it is possible that an AD account on a fresh machine, gets auto-locked for a reason I don't know.
Bix