Account lockouts can be a real pain to fix if you don't know where the lock is coming from. In these days of mobile computing very few users restrict themselves to a single PC or device. Often IT departments have to allow multiple devices to utilise the same user account credentials whether that be on the company Desktops, Laptops, Smartphones or even home user equipment. The problem is that when you have so many devices it gets a bit tricky to see where the lock has come from and users inevitably begin to think there may be some kind of conspiracy against them when their account keeps locking; even if it is their fault!
Tools Required
To perform all steps in this guide you will require a few tools:
A PC with Admin Pack installed (for Active Directory access) and Acctinfo.dll installed(http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465)
Causes of Account Lockouts
The most obvious scenario is that the user is continuously inputting the incorrect username/password combination - but that's far to easy. Other scenarios include:
- The user has changed passwords once they have logged on but have not logged back on again to re-sync their account.
- A stored username/password in a program, perhaps one that requires separate proxy authentication is requesting access to the Internet and supplying an incorrect password.
- A third party device, such as an Iphone connecting to webmail via RPC over HTTP with the incorrect password stored.
- The user has mapped a network drive on a different machine using their credentials and choose “Save Password” option, which has now expired.
- A scheduled task running with an invalid password.
Finding Where the Account Lockout Originated
The first thing is to make sure you know where the account lockout is coming from. Use Active directory with the ACCTINFO.DLL tab and check the time of the last “bad logon”.
The first thing is to make sure you know where the account lockout is coming from. Use Active directory with the ACCTINFO.DLL tab and check the time of the last “bad logon”.
Clicking on “Account Lockout Status” will bring up a list of domain controllers, allowing you to ascertain which domain controller the user locked out on first.
Right click the domain controller the account locked out on and choose event viewer, then organise by user and click on the username. You will see a "Failure Audit" at the time of lockout.
You will then be given the name of the machine the account has locked out on as well as an Idea what program may have caused the lock, see “Logon attempt by” field.
Finding the Cause of the Lockout on the User Machine
Finding the cause of account lockouts on the local machine can be quite difficult due to the number of potential causes of this problem but some general advice is as follows:
- Clean out the Temporary Internet Files and stored passwords in Internet Explorer.
- Clean out the windows credential manager by running "Control keymgr.dll" from the run prompt and deleting all stored passwords.
- Check the users “My Computer” for drive mappings created by the user; if there is anything out of the ordinary remove the mapping.
- Check for unusual software that may require individual proxy server configurations such as Google Earth, or any programs that perform periodic updates.
Drastic Measures if you still can't find the lock
From the Account lockout tools copy alockout.dll to the user’s c:\Windows\System32 folder. Remotely connect to the users registry using regedit and navigate to this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows
Create a new REG_SZ key called "AppInit_DLLs" and set its value to “alockout.dll"
Now restart the PC and wait for the account to lock out again. Once it locks check the C:\WINDOWS\Debug folder for a file called “Alockout.LOG”.
If you open this file with Notepad you should see a list of applications which attempted to pass network credentials along with details on which was successful and which failed. Check what time the users account locked out in ACCTINFO.DLL and the look for the corresponding entry on the list, this will be the application causing the problem.
The final step is to find this application on the user’s computer and find a way to either remove the cached credentials or in worst case scenario it may be necessary to remove the program all-together.
I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).
ReplyDeleteWe used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.
Fun!
Hi Mark thanks for visiting. It's always reassuring to know that people are actually finding their way to my page. It's amazing how many people I speak to that don't know these exist - some techs with considerable experience, yet troubleshooting a lock-out somehow seems to be something they never encountered?
ReplyDeleteThanks, good post
ReplyDeleteHi Andrew,
ReplyDeleteI'm having massive problems with two users in my organisation, their accounts just keep locking out. I've tried cleansing all credentials, even gave one of them another computer and the problem persists. Using the LockoutStatus program I've determined that it's the computer the currently use locking them out.
I tried the "Dramatic measures" part of your post, hoping it would give some insight, but I don't get the output file in C:\Windows\Debug. Out users are not local admins, could that be affecting the outputting of the file?
Thanks in advance!