Account lockout and management tools

This article outlines the process to identify and resolve account lockout in an Active Directory environment. Process 1) Change lockout policy according to Microsoft RecommendationThe lockout policy's ultimate goal is to protect against automated password guessing (brute-force attack) and as such, the value should be high enough so that accounts are not accidentally locked out by an end user or incorrect saved password.As per the following articles, I would recommend the following lockout settings Account lockout threshold 50 Reset account lockout counter after 10 minutes Enabling AuditingIdentifying the source of the account lockouts in a complex environment will be virtually impossible without auditing enabled.Please note: Only events that occurred after enabling auditing will be logged. It also might be necessary to increase Security log file sizeIn addition to the above, the following might provide some extra clues to the source of the lockout. After setting these values, additional logs can be found in Event Viewer, Applications and Services Log/Microsoft/Windows/NTLMPath: Computer Configuration\Windows Settings\Local Policies\Security OptionsSetting: Network Security: Restrict NTLM: Audit Incoming NTLM TrafficValue: Enable auditing for all accountsSetting: Network security: Restrict NTLM: Audit NTLM authentication in this domainValue: Enable All3) Identify source device that lockout occurred on3.1) Event CombPart of Account Lockout and Management Tools a useful tool in a pinch.Please note: Built-in search for account lockout is not using the newer event IDs. To search newer IDs, add 4625 4740 4771 4768 4776 to the listFor details on these events, see gathered events from selected domain controllers will be saved into text files in the temp folder3.2) Lockout StatusPart of Account Lockout and Management Tools you start tool you specify the user account to inspect.Please note: If the lock device is a Domain Controller, you have to follow the trail until you get to the actual source device name3.3) AD AuditSee personal favorite, AD Audit makes finding the source account that locks device super easy, just use built-in reports4.1) PowershellFindUserBadPwdAttempts 4) Identify the source process that locked the account4.1) NetWrix Account Lockout ExaminerSee NetWrix Account Lockout Examiner on another computer. After that run it and point to the device that

The origin of the lockout came from. After that, it analyzes each machine and outputs and the common causes of account lockouts that are present (e.g., mapped drives, old rdp sessions, scheduled tasks).Tool #4. PowerShellUsing the following PowerShell script, you can easily filter the event log for events that are related to a certain account and try to figure out what caused its lockout:Get-EventLog -LogName Security | ?{$_.message -like "*locked*USERNAME*"} | fl -property *You can also use Get-UserLockoutStatus function to troubleshoot persistent account lockout problems. The function searches all domain controllers for a user in a domain for account lockout status: bad password count, last bad password time, and when the password was set last. You can find the full code here.Tool #5. N/AActually I couldn’t find the 5th free tool; my bad. However, there are some paid tools such as the Manage Engine and Jiji account lockout tools. Algoware AD tool didn’t work in my test environment, so I have no clue what it is actually capable of doing. Maybe you can recommend one? Which account lockout troubleshooting free tool do you use?Discover more free tools for IT admins in our recent article. Oleg is an IT professional with more than 10 years of experience. As a technical author, Oleg focuses on IT security best practices, Active Directory management tips and tricks, and IT tools reviews. Oleg's lists of freeware for IT admins saved time and budget to thousands admins all around the world.

How many account lockouts do you deal with every day? Troubleshooting account lockouts has always been an IT admin’s daily task: either employees forget their passwords or accounts lockout due to a significant increase in authentication requests on domain controllers. On top of that, account lockouts can also be a sign of the Conficker virus (also known as Downup, Downadup or Kido), which performs brute-force attacks against accounts in a network, or of a password change on a service account.Here is a list of free tools that can help you quicker investigate the root cause of an account lockout and prevent decreases in productivity:Tool #1. Netwrix Account Lockout ExaminerThis is a free tool that helps IT staff identify lockout root causes in a single keystroke. The freeware enables you to do the following:Identify root causes of lockouts. The tool gets you to the root of the problem in a single click, whether it’s improperly mapped network drives, services or scheduled tasks running under stale credentials, or an outdated password saved on a mobile deviceMinimize troubleshooting time. The tool helps you slash troubleshooting time by 90% with easy root cause investigation. It allows to find even the most complex lockout reasons in minutes so you know exactly what needs to be fixed.Reduce the pressure on your help desk. The tool empowers IT team to quickly troubleshoot user issues, and minimize business downtime whenever a service account from a critical app or a domain controller gets locked out.Tool #2. Account Lockout Status toolsThis is a set of tools Microsoft offers to help you with account lockout troubleshooting:exe collects and filters events from the event logs of domain controllers. This tool has a built-in search for account lockouts. It gathers the event IDs related to a certain account lockout in a separate text file.exe examines all DCs in a domain, letting you know when the target account last locked out and from which DC. In addition, it provides the locked-out account’s current status and the number of bad password attempts.Netlogon logging is used to track Netlogon and NT LAN Manager (NTLM) events. Enabling Netlogon logging on all DCs is an effective way to isolate a locked-out account and see where the account is being locked out. Although Netlogon logging isn’t part of the account lockout and management tools, NLParse.exe is used to parse the Netlogon logs, and NLParse.exe is one of the account lockout tools.Acctinfo exposes more properties in ADUC (Active Directory Users and Computers) (e.g., last logon and password expires). Specifically, with this add-on, you get an extra tab in ADUC called additional account info that helps isolate and troubleshoot account lockouts and change a user’s password on a domain controller on that user’s site.Tool #3. AD LockoutsThis simple utility tries to track the origin of Active Directory bad password attempts and lockouts. It can search each domain/domain controller for bad password attempts to access an account. It will then parse any related events on each domain controller and work out where

Ignora e passa al contenuto principale Questo browser non è più supportato. Esegui l'aggiornamento a Microsoft Edge per sfruttare i vantaggi di funzionalità più recenti, aggiornamenti della sicurezza e supporto tecnico. Articolo01/15/2025 In questo articolo -->Questo articolo presenta gli strumenti di gestione e blocco degli account per Windows Server.Numero KB originale: 4469275RiepilogoQuesto articolo presenta gli strumenti di blocco e gestione degli account. Questo set di strumenti consente di gestire gli account e risolvere i problemi relativi ai blocchi degli account.Ulteriori informazioniI file seguenti sono inclusi nel pacchetto Account Lockout and Management Tools:The following files are included in the Account Lockout and Management Tools package:AcctInfo.dll: consente di isolare e risolvere i problemi relativi ai blocchi dell'account e di modificare la password di un utente in un controller di dominio nel sito dell'utente. Questo strumento aggiunge nuove pagine delle proprietà agli oggetti utente nella Utenti e computer di Active Directory Microsoft Management Console (MMC).ALockout.dll: nel computer client consente di determinare un processo o un'applicazione che invia credenziali errate.ImportanteNon usare questo strumento nei server che ospitano applicazioni o servizi di rete. Inoltre, non è consigliabile utilizzare ALockout.dll nei server che eseguono Microsoft Exchange Server perché potrebbe impedire l'avvio dell'archivio di Exchange.ALoInfo.exe: visualizza i nomi e l'età delle password per tutti gli account utente.EnableKerbLog.vbs: usato come script di avvio abilitando il protocollo Kerberos per accedere a tutti i client che eseguono Windows 2000 e versioni successive di Windows.EventCombMT.exe: raccoglie eventi specifici dai registri eventi di diversi computer in un'unica posizione centrale.LockoutStatus.exe: per raccogliere i log pertinenti, determina tutti i controller di dominio coinvolti in un blocco di un account utente. LockoutStatus.exe usa lo strumento NLParse.exe per analizzare i log netlogon per codici di stato restituiti Netlogon specifici. Questo strumento indirizza l'output a un file con valori delimitati da virgole (.csv) che è possibile ordinare