Special thanks to Harivishnu for sharing this blog post.
This topic was not in my mind until yesterday, where one of my friends working as an IT admin in a software company rang me to tell an issue there corporate network is facing now. Where the users are continually getting locked out! Sadly, I could not give him any suggestions worth trying out.
After this, I did a little research on this topic and decided to put together a blog so that others can also benefit from this. I am going by the presumption that every reader is aware of how to implement an account lock-out policy in a network.
On prima face, account lock out seems to be a good thing to implement as it will be difficult for the attackers to launch a brute force attack. At the same time it can cause issues where the users will be continuously logged out. It can be due to (any one of) the following reasons
- Scheduled tasks trying to use old credentials.
- Drive mappings trying to use old credentials.
- Disconnected TS sessions that had used stale credentials to connect.
- Service control manager cashing old service account password.
- It can also be due to the obvious reason such as failure of active directory replication between DCs.
So how to go about in such a situation… Thank fully, Microsoft provides a free set of tools which can be used to trouble shoot account lock-out issue, it is called Account Lockout and Management Tools (ALTools.exe). after extracting the tool kit, you can install the tools in any work station or server as per the situation.
You need to register this dll on the system where you are using the ADUC console to manage the domain. Registering this dll will add a new tab called Additional Account Info to user account properties Active Directory Users and Computers (ADUC). The extra tab contains many useful features such as.
- Password last set timestamp.
- Password expiry timestamp.
- User Account Control.
- Locked date
- Unlock date
- Last Logon time stamp.
This is an interesting tool that I have found useful in dealing with account lock out issues. This will create a logfile that you can use it for diagnostics. For that you need to register this dll on the machine where you are experiencing account lock-out issues. When the account lock-out occurs again you can check the logs at the following location %WinDir%\debug\ALockout.txt. However, you must be familiar with Netlogon logging to decode it.
This tool can be used for 2 purposes by using different switches.
It can be used to list password age for the user, so that we can determine which accounts are about to expire.
aloinfo /expires /server:server-name
The tool can also be used to display the credentials for all mapped drives for the currently logged-on user.
aloinfo /stored /server:server-name
Here is the list of other tools included in ALTools.exe:
- EventCombMT.exe — used to combine event logs from multiple computers to a single location.
- NLParse.exe — used to parse Netlogon files.
- EnableKerbLog.vbs — to enable Kerberos logging.
PS: when we connect to a remote computer by selecting the Remember Password checkbox, it gets stored somewhere right? You can manage such logon information for network locations and websites for your machine.
This can be done by typing the following command on the command prompt.
rundll32.exe keymgr.dll, KRShowKeyMgr
I hope this blog will aid you in troubleshooting lockout issues more effectively