Symptoms
CyberQP will only detect lock outs in the environment as reported by the domain controller. Once the server agent is installed, you may see symptoms of account lockout alerts:
1. You see Account Locked - Success in your QP dashboard Events tab
2. End-users get notifications that their account is locked.
Resolution Steps
There are a number of things that may cause an account lockout. Though not all of the steps listed below will apply to your unique situation, they are to be used a guideline to assist with your diagnoses.
The most common scenarios are:
- Logged into an application that authenticates against AD/O365 but has not been logged out of after the password change was made
- A Service that is using the Account for authorization – as this is setup as an End User account we don’t check for password changes on Services
- Mobile application (like Outlook on iOS or Android) that is beyond the End User’s reach (for example they setup their iPad at home with the work email) – This will continually try to authenticate causing the account to eventually lock.
- User has changed password over VPN. They may have re-entered their password in all the applications, but did not lock/unlock the laptop itself.
Some of the less common scenarios:
- RADIUS or other Network Authentication for Wi-Fi or Wired Network connections
- If (for example) the End User has changed their password for their account via the Mobile or Website App, or even changed via CTRL – ALT – DEL and another device is still using the old credentials to try to connect to the network – this can cause the other device to constantly try to authenticate which would of course lock the account.
- Some other authentication source may attempt to login as the account (like VPN software, etc.) – repeated attempts may cause the accounts to lock out.
- SSO Logins using Active Directory as the source
Here is a PowerShell script that you can Run As Administrator on the on the Domain controller that the end user would have Authenticated against.Get-EventLog -LogName Security -InstanceId 4740 -Verbose | Format-Table -Wrap >C:\FOLDERNAME\Lockouts.txt
If you run that PowerShell command it will extract the Lockout Events to a text file (please modify the Foldername value to a folder that the Admin account has access to).
You can also use this tool provided by Microsoft, which could help you determine where the lockout is occurring.
https://www.microsoft.com/en-ca/download/details.aspx?id=18465
You should extract the software to a folder on one of the Domain Controllers. Then run the "C:\**extractedfolder**\ALTools\eventcombMT.exe" as a Domain Admin account. It will let you select all DCs and comb through the event logs from all of them and extract to a TXT/CSV file, you can then look through to find ALL events.
You can set the screen to look like below:
Then run the scan - it finds that event number from ALL the DCs and dumps to individual TXT/CSV files that you can then read through.
Included in the event should be the originating SOURCE machine/IP that will assist you with tracking down the cause of the repeated logins. If the source appears to be another computer – then check that source for sessions using the End User’s credentials. If this DC or another DC appears to be the source of the lock outs, you can check things like the mobile devices attempting to authenticate or the RADIUS/Network Authentication processes.
Comments
0 comments
Please sign in to leave a comment.