« Client-less Novell & Active Directory | Main | Printing from OS X 10.4 TO windows printer on Active Directory »

June 08, 2005

Troubleshooting Account Lockout Problems

Microsoft offers tools to help diagnose Account Lockout problems. Most useful is the the "ALockout.dll Tool" which is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario. Here are some links:

Download: Account Lockout and Management Tools

Technet: Documentation for Account Lockout and Management Tools

WindowsSecurity.com article on using the Account Lockout Tools

Posted by djc6 at June 8, 2005 10:40 PM

Trackback Pings

TrackBack URL for this entry:
http://blog.case.edu/djc6/mt-tb.cgi/1538

Comments

Hi All,

I Thought I might be worth providing information about:

"Microsoft Windows 2000 Server and Windows Server 2003: Password and Account Lockout Features".

http://support.microsoft.com/default.aspx?scid=%2Fservicedesks%2Fwebcasts%2Fen%2Fwc022703%2Fwct022703.asp

Enjoy!

Chandan Patralekh

Posted by: Chandan Patralekh at October 27, 2006 10:40 PM

Hi All,

As always, Microsoft didn't provide a CONVENIENT way of management. All they have is set of guidelines and ugly tools, and BTW, they don't recommend usage of ALockout.dll on production servers.

So I was looking for 3rd party solution and discovered NetWrix Account Lockout Examiner. The product is new and doesn't do all things you might expect, but I found it way faster to detect and diagnose MOST lockouts happening in my network. Deployment was very simple, I got it up and running within 5 minutes, and detected existing lockouts immediately. It then listed workstations causing account lockouts and suggested possible reasons for that, for example, one workstation had network drive mapped under user account in question and another one had service running under old password which caused account to become locked every day or so.

Another problem is helpdesk aid - everytime user calls helpdesk to help with account unlocking, helpdesk personnel unlocks that, but then, in most cases, gives a call to me to find out the reason for recurring account lockout. Rather annoying... Fortunately 'Examiner' has IIS application providing limited access to its features for helpdesk people - whenever someone calls helpdesk for password issue - they open web browser and determine the reason for lockout (e.g. scheduled task running under old password) - and supply this reason to user. User fixes the problem, calls helpdesk back and helpdesk unlocks the account, using the same web page. And all that without my help! Just excellent, nothing more to add...

Of course it won't identify reasons in 100% of cases, since some complex issues require deep manual investigation, but anyway - it takes MOST issues out. So I recommend to take a look at that, URL is http://netwrix.com/account_lockout_examiner.html

Posted by: Peter Stone at December 25, 2006 04:44 AM