Advertisement - contains affiliate link

Recently I wanted to connect to a machine with my admin user but then I realized that this user had been locked out in Active Directory. The counter for bad passwords is relatively high and gets resetted frequently, like every 15 minutes. So what could cause this issue? There must be some wrong configuration. I started to investigate.

Advertisement - contains affiliate link

Imagine a setup with multiple Domain Controllers.
Firstly, you have to find out which DC causes the lockout. Microsoft offers an amazing toolbox called “Account Lockout and Management Tools”. They are available at the following URL:
https://www.microsoft.com/en-us/download/details.aspx?id=18465

Simply start the LockoutStatus.exe with a Domain Admin or at least with sufficient permissions and enter the target admin user who had been locked out. The tool will determine all Domain Controllers and show you a list of “Last Bad Password”, “Bad Password Counter” , “Last Password Change Date” and so on. Now you should know the involved Domain Controller.

Secondly, you will connect via RDP to the mentioned Domain Controller and start the Event Viewer there. Navigate to System -> Security:

Now filter the current log for the event ID: 4625

After that you should be able to see the corresponding log entries. The important part here is the Caller Machine Name. This name will tell you the server which is causing the bad logins. Another crucial detail is the value of the logon type. With this value you can localize the cause. The possible values are listed here:
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625

Finally, it should be relatively easy to solve. The possible sources of the bad logins are for example:

  • Scheduled tasks
  • Services
  • Stored credentials
  • File share access

 

Advertisement - contains affiliate link

LEAVE A REPLY

Please enter your comment!
Please enter your name here