AD users getting locked out every 20 seconds

Question

AD users getting locked out every 20 seconds

I have been searching high and low for an answer, but I cannot seem to figure out why a few of our users keep getting locked out every 30 seconds. I unlock the account and then can watch the login attempts within seconds lock them out. I have tried tools like account lockout status and Netwrix, and I cannot find out what computer/service/task that is causing it. I did turn on netlogon logging, but it doesn't tell me which computer its coming from and it also doesn't say in the event viewer logs. Any help would be greatly appreciated!!! I have put an example event, and netlogon line below:

Netlogon:

01/04 11:51:07 [LOGON] [20280] DOMAIN: SamLogon: Transitive Network logon of (null)\John Jones from (via WEB-SERVER) Returns 0xC000006A (there is nothing after from)

Event:

Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC0000064

Process Information: Caller Process ID: 0x0 Caller Process Name: -

Network Information: Workstation Name:
Source Network Address: - Source Port: -

active-directory

asked on Stack Overflow Jan 4, 2018 by

Terry Minton

2 Answers

Do you use LDAP integrated applications?

Advise those end users to clear browser cache (if not already) - if Windows users, clear credentials in:

Credential Manager->Windows Credentials->Delete all entries under "Generic Credentials"

Does your organisation authenticate users who connect to corporate WiFi using AD? If so check that the end users mobiles/tablet devices have been configured with the new password, best way to do this is to forget the connection and re connect using new credentials.

We've had very similar issues in the past and resolved doing the above.

answered on Stack Overflow Jan 4, 2018 by

Abdush Samad Miah

I have recently done this for myself.

The script can show you the timestamp, username, machine name where the lockout event is being originated.

Here is code:

# Set default parameters and variables
param (
    [string]$DomainName = $env:USERDOMAIN,
    [string]$UserName = "*",
    [datetime]$StartTime = (Get-Date).AddDays(-3)
)

# check if current powershell version is 4 or higher

if ($Host.Version.Major -lt "4") {
    Write-Host "`n`nError: You need at least version 4 PowerShell for logging to work, `nCurrent version:"$Host.Version.Major -BackgroundColor Red -ForegroundColor white
    Write-Host "`nBefore you start using this script, please upgrade your PowerShell from Microsoft website!" -BackgroundColor Yellow -ForegroundColor Black
    Read-Host "`n`nScript execution finished, press enter to exit!"
    Exit
}

# Grab the information about your AD forest
$Forest = [system.directoryservices.activedirectory.Forest]::GetCurrentForest()

# Get list of all domain controllers in the forest
$DC = $Forest.domains | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}


# Prompt user to enter a pacific username or accept default (which means look for all locked out events)
Write-Host "`n`nEnter a UserName to search user specific locked out events `n`nOR `n`nPress enter to search all locked out usernames!" -BackgroundColor Yellow -ForegroundColor Black
sleep 3

$TestName = Read-Host "`nPlease enter a UserName or Press enter"
if ($TestName -ne $null -and $TestName) {[string]$UserName = $TestName}



Write-Host "`nScript will search for locked out events on the following domain controllers..." -BackgroundColor Gray -ForegroundColor Black
$dc

# Search for locked out event of each DC and store them in variable
$dc | foreach {

    Write-Host "`nChecking for locked out events on $_, please wait..." -BackgroundColor Gray -ForegroundColor Black
    $OutPut = Invoke-Command ($_) {

    $ErrorActionPreference = "SilentlyContinue"
    Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
        Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
        Select-Object -Property TimeCreated, 
            @{Label='UserName';Expression={$_.Properties[0].Value}},
            @{Label='ClientName';Expression={$_.Properties[1].Value}}


    $ErrorActionPreference = "Continue"
    } | Select-Object -Property TimeCreated, 'UserName', 'ClientName' |Out-Host

    if ($OutPut -eq $null -and !$OutPut) {Write-Host "`nWarning: No lockout events were found!`nContinuing the search..." -BackgroundColor Yellow -ForegroundColor Black}
    else {$OutPut}
}

answered on Stack Overflow Jan 16, 2018 by

LT- • edited Jan 23, 2018 by

LT-

User contributions licensed under CC BY-SA 3.0