Troubleshooting Active Directory account lockout issues

AD/Exchange pro does often face an issue for which there is little documentation available on internet – User Account lockouts.

I know this, because I have been troubleshooting an account lockout issue for a while with minimal help. So, here we go – My guide for troubleshooting Active Directory account lockout issues

Before entering advanced troubleshooting mode we need to ensure we cover all the basics:

  1. Exchange ActiveSync mobile devices
  2. Apple MobileMe – contacts sync
  3. Applications / Web applications/ Tools which sync with Active Directory for authentication
  4. Vault for credentials in Windows Control Panel or Credential manager
  5. Stored usernames and passwords – rundll32.exe keymgr.dll, KRShowKeyMgr
  6. Rename AD Profile on the user machine

Let’s look at each in detail:

  1. Exchange ActiveSync mobile devices – Yes EAS devices, EAS devices and EAS devices. 80% of account lockout issues are caused by an “unknown” device trying to sync with your Exchange mailbox and when you ask the user he would say – “What do you mean a mobile device – I already told ya”… J

    DO NOT listen to the user:

    In Exchange management Shell run this:

    Get-ActiveSyncDeviceStatistics -Mailbox MeeraNair

    This is going to return all the devices the user is using right now and past devices which have established connection with Exchange at least once.

    FirstSyncTime : 5/3/2011 2:52:38 AM

    LastPolicyUpdateTime : 3/8/2012 3:32:24 PM

    LastSyncAttemptTime : 3/8/2012 6:11:53 PM

    LastSuccessSync : 3/8/2012 6:11:53 PM

    DeviceType : iPhone

    DeviceID : Appl6DxxxxxxS

    DeviceUserAgent : Apple-iPhone3C1/901.405

    Identity : Meera.Nair@msexchangeguru.comAirSync-iPhone-Appl6DxxxxxxS

     

    FirstSyncTime : 7/7/2011 1:38:44 AM

    LastPolicyUpdateTime : 3/8/2012 6:14:20 PM

    LastSyncAttemptTime : 3/8/2012 7:34:09 PM

    LastSuccessSync : 3/8/2012 7:34:09 PM

    DeviceType : iPhone

    DeviceID : Appl6QxxxxxxS

    DeviceUserAgent : Apple-iPhone3C1/901.405

    Identity : Meera.Nair@msexchangeguru.comAirSync-iPhone-Appl6QxxxxxxS

Now, educate the user that these are the devices which are syncing with his mailbox and they have his username and password stored. So, look at the LastSyncAttemptTime and make sure it is not an EAS device which is trying to authenticate him.

2.Apple MobileMe – Contacts sync – Check and ensure the user hasn’t configured MobileMe to sync his contacts from Outlook. If this is configured with AD credentials, it can be a reason for account lockout

3.Applications / Web applications/ Tools which sync with Active Directory for authentication: You heard it right. There might be third party applications which are running which may have AD username and password stored within and lot of times the moment the user open applications like Internet explorer / browser, the application or the tools, it will try to authenticate in the background and lock the password.

4.Vault for credentials in Windows Control Panel or Credential manager: This is the second most obvious reason the user might get locked out. In my case, the user had an intranet SharePoint web portal and the AD credentials where cached in Credential manager. To open credential manager:

 

Make sure Windows Credentials area is empty


5. Stored usernames and passwords – This shouldn’t be a problem in most cases, but better safe than sorry. Open a run windows and type rundll32.exe keymgr.dll, KRShowKeyMgr and delete stored passwords if any

6.Rename AD Profile on the user machine: This is more like trying to fix the issue without knowing what’s causing it. This is under the assumption that account lockout happens when the user is logged into his client machine. If the account lockout is caused from an application or “something” from that machine, rename the AD profile on the client from “Documents and Settings in XP and Users in Win7″, advise the user to login again and monitor the situation.

Now let’s look at some advanced troubleshooting steps.

Using the Microsoft Lockout Status tool

  1. Download Lockout Status tool from http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465 on to a New Folder in a client machine.
  2. After extracting the downloaded file, you will have the files below:

 

3. Open LockOutStatus.exe and click File –> Select Target As –> Type the username and User Logon Name as Target User Name (the one which is getting locked out ) and click OK as indicated below:

 

030812_1928_Troubleshoo5

Please ensure that the tool is running on any machine

4. This will then process the records through all the domain controllers. You can keep a close eye on the column Bad PWD Count.

5. If the account gets locked out frequently, the Bad Password count keeps increasing. Make a note of that GC which indicates a Bad PWD Count of any value more than 0. Also note that the same value will be indicated by the primary domain controller in the domain which can be ignored.

 

In this case, I will login to DC01 and all the domain controllers in this site and set the following registry:

  • Open regedit with an account that has necessary permissions and move to:

    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters

  • Create a new DWORD Value with the name DBFlag and a Hexadecimal value 2080ffff.
6. Once this is set, restart Netlogon service on DC01 and then wait for the Account to lockout.
7. Once the account locks out, ensure that Domain controller that locked out the account again from LockoutStatus.exe and take the Netlogon.log file from C:WindowsDebug.
8. Bring the Netlogon.log to the client machine which has the Lockout Status tool installed and open nlparse.exe from the Lockout Status Tools download.

Click File –> Open and Browse the Netlogon.log location

 

 

9. Once the file is browsed, chose the 2 status codes 0xC000006A and 0xC0000234 and click Extract.

Once the extraction is complete, it will indicate a Pop-Up as indicated below:

 

10. There will be 2 new files in the location of the Netlogon.log file in the Client machine – A new CSV and a summary output file.

 

11. Open the CSV file and filter the User Alias for the recent lockout:

030812_1928_Troubleshoo12

This indicates that DC01 received the lockout from DC07.

In this case, you can perform Steps 6 to 12 again on DC07 and check the machine that the lockout occurs from.

Quelle: http://msexchangeguru.com/2012/03/08/ad-lockout/