Troubleshooting Account Lockout Problems

Posted: January 10, 2010 in Active Directory, Networking, Server, System Information
Tags: , ,

Problem

A user is having account lockout problems and you need to determine from where and how it is getting locked out.

Solution

Using a graphical user interface

LockoutStatus is a new program available for Windows 2000 or Windows Server 2003 that can help identify which domain controller’s users are getting locked out. It works by querying the lockout status of a user against all domain controllers in the user’s domain.

To determine the lockout status of a user:

  1. Launch LockoutStatus and select File Select Target from the menu.
  2. Enter the target user name and the domain of the user.
  3. Click OK.

At this point, each domain controller in the domain will be queried and the results will be displayed.

Discussion

The lockoutstatus.exe tool is just one of many that are available in the new ” Account Lockout and Management” toolset provided by Microsoft. These new lockout tools are intended to help administrators with account lockout problems that were very difficult to troubleshoot given the tools available under Windows 2000.Along with the tool mentioned in the Solution section, here are a few others that are included in the set:

ALockout.dll

A script that uses this DLL called EnableKerbLog.vbs (included with the toolset), can be used to enable logging of application authentication. This can help identify applications that are using bad credentials and causing account lockouts.

ALoInfo.exe

Displays services and shares that are using a particular account name. It can also print all the users and their password age.

NLParse.exe

A filter tool for the netlogon.log files. You can use it to extract just the lines that relate to account lockout information.

EventCombMT

A utility to parse Event Logs from multiple servers, either to collect all entries together or to search for individual events across multiple computers. This is extremely useful when troubleshooting user account lockouts, for example, by determining which computer is causing the account lockout.

All of the new Account Lockout tools can be downloaded from:

http://microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s