question

raminsa-6505 avatar image
0 Votes"
raminsa-6505 asked DaisyZhou-MSFT edited

User account lock frequently

Hi dear expert

after digging in active directory we found specific server (for example SERVER 1) lock our domain account but i have no idea why SERVER1 frequently lock our user

please give me hand to fix my issue

Thank you in advance

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @raminsa-6505,

Thank you for posting here.

Based on the description, I understand we found one domain user was locked out on one specific server, and we want to know why the domain user account was locked on this server.

We can try the following steps:
• Check the credential management to see if there are cached user’s old credentials
• Check if you have used the wrong password to mount the network disk
• Check whether the user has used the wrong password to start services, run scheduled tasks, etc.
• Check if there are other third-party programs that cache the user’s wrong password.


After all the checking above, if you cannot locate the specific process that is causing the problem, you can configure the audit policy on the server to see if you can locate the specific process that caused the problem.

1.Logon this machine using administrator account and configure audit policy settings below.

Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Logon Events – Failure
Audit process tracking - Success and Failure


Or use advanced audit policies (advanced audit policies will overwrite all legacy audit policies by default):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration

Logon/Logoff:
Audit Logon – Failure

Detailed Tracking
Audit Process Creation - Success and Failure

Tip:
1.If you have never configured any advanced audit policy before, then you configure the legacy audit policy.
2.If you have configured any advanced audit policy before, then you have configured the advanced audit policy.



2.Run gpupdate /force or restart this server to make the policy take effect.

3.Logon this server with this locked domain account.

4.Once the domain account locked again, check whether there is the event ID 4625 or event ID 4688 on this server.

5.If so, try to check if we can find which process locked this domain user account through event ID 4625 or event ID 4688 on this server, and compare the time stamps in event ID 4625 or in event ID 4688 on this server and in event ID 4740 on DC.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.