Troubleshooting Account Lockout issues in Windows

Special thanks to Harivishnu for sharing this blog post.

This topic was not in my mind until yes­ter­day, where one of my friends work­ing as an IT admin in a soft­ware com­pany rang me to tell an issue there cor­po­rate net­work is fac­ing now. Where the users are con­tin­u­ally get­ting locked out! Sadly, I could not give him any sug­ges­tions worth try­ing out.

After this, I did a lit­tle research on this topic and decided to put together a blog so that oth­ers can also ben­e­fit from this. I am going by the pre­sump­tion that every reader is aware of how to imple­ment an account lock-out pol­icy in a network.

On prima face, account lock out seems to be a good thing to imple­ment as it will be dif­fi­cult for the attack­ers to launch a brute force attack. At the same time it can cause issues where the users will be con­tin­u­ously logged out. It can be due to (any one of) the fol­low­ing reasons

  • Sched­uled tasks try­ing to use old credentials.
  • Drive map­pings try­ing to use old credentials.
  • Dis­con­nected TS ses­sions that had used stale cre­den­tials to connect.
  • Ser­vice con­trol man­ager cash­ing old ser­vice account password.
  • It can also be due to the obvi­ous rea­son such as fail­ure of active direc­tory repli­ca­tion between DCs.

So how to go about in such a sit­u­a­tion… Thank fully, Microsoft pro­vides a free set of tools which can be used to trou­ble shoot account lock-out issue, it is called Account Lock­out and Man­age­ment Tools (ALTools.exe). after extract­ing the tool kit, you can install the tools in any work sta­tion or server as per the situation.

1. AcctInfo.dll

You need to reg­is­ter this dll on the sys­tem where you are using the ADUC con­sole to man­age the domain. Reg­is­ter­ing this dll will add a new tab called Addi­tional Account Info to user account prop­er­ties Active Direc­tory Users and Com­put­ers (ADUC). The extra tab con­tains many use­ful fea­tures such as.

  • Pass­word last set timestamp.
  • Pass­word expiry timestamp.
  • User Account Control.
  • Locked date
  • Unlock date
  • Last Logon time stamp.

2. ALockout.dll

This is an inter­est­ing tool that I have found use­ful in deal­ing with account lock out issues. This will cre­ate a log­file that you can use it for diag­nos­tics. For that you need to reg­is­ter this dll on the machine where you are expe­ri­enc­ing account lock-out issues. When the account lock-out occurs again you can check the logs at the fol­low­ing loca­tion %WinDir%\debug\ALockout.txt. How­ever, you must be famil­iar with Net­l­o­gon log­ging to decode it.

3. AloInfo.exe

This tool can be used for 2 pur­poses by using dif­fer­ent switches.

It can be used to list pass­word age for the user, so that we can deter­mine which accounts are about to expire.

aloinfo /expires /server:server-name

The tool can also be used to dis­play the cre­den­tials for all mapped dri­ves for the cur­rently logged-on user.

aloinfo /stored /server:server-name

Here is the list of other tools included in ALTools.exe:

  • EventCombMT.exe — used to com­bine event logs from mul­ti­ple com­put­ers to a sin­gle location.
  • NLParse.exe — used to parse Net­l­o­gon files.
  • EnableKerbLog.vbs — to enable Ker­beros logging.
  • LockoutStatus.exe

PS: when we con­nect to a remote com­puter by select­ing the Remem­ber Pass­word check­box, it gets stored some­where right? You can man­age such logon infor­ma­tion for net­work loca­tions and web­sites for your machine.

This can be done by typ­ing the fol­low­ing com­mand on the com­mand prompt.

rundll32.exe keymgr.dll, KRShowKeyMgr

I hope this blog will aid you in trou­bleshoot­ing lock­out issues more effectively

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s