INTRUST GROUP - Managed Services Provider

Technical Blog

Troubleshooting Accounts That Repeatedly Get Locked Out

20
Jan 2012
20 Jan 2012

I recently had a client that was getting her Active Directory account locked out about once a week. I could tell when her account got locked out, and which computer was locking it out, by checking for event 644 in the security log on her company’s domain controller.

However, I could not find why it was getting locked out.

I did all the normal checks … checked for services running as her account, checked for persistent drive mappings, checked for scheduled tasks that might run as her, and checked to make sure she didn’t have a phone that was checking her email. None of these were causing the lockout.

Then, I found the Microsoft Account Lockout and Management Tools. Some of the helpful tools in this package are:

  • LockoutStatus.exe, which tells the state of the account on each of the DCs
  • ALockout.dll, which can be installed to log access to passwords on a computer
  • ALoInfo.exe can, which lists all the users and the age of their passwords

There are several other good tools in this package as well. I tried all of these, but they still did not point to what was locking out the password.

Finally, I discovered that there is a credential manager in Windows that can store passwords. You can access this thru the User control panel on the advanced tab (in Windows 7).   I found that the credential manager was storing her Active Directory account password. I removed her password from the credential manager and her account stopped getting locked out.

Marc Reiter

Marc Reiter

back to top

Latest Blogs

Newsletter Archives

View All of Our Newsletters
INTRUST GROUP All rights reserved.