Blog Of Directory Service
  • ···
  • Home
  • ···
  • ···
  • About Me
  • ···
  • ···
  • Contact Me
  • ···
  • ···
LinkedInTechNet
Post Page
Home/Blog/Post/

Am I locked out? Where? How?

  • Post On 2014-10-22

Account lockout feature is one of the powerful methods in order to prevent password related attacks. Using this method victim user account will be locked out after a number of failed attempts in a specific period of time. This feature has found its way to a lot of other technologies these days. My cellphone will be locked out after three wrong passwords and will not be able to work for about 2 minutes.

Although this policy can help you to prevent attackers from guessing user’s password, it is important to consider the risk provided by this solution in your environment because authorized users can lock themselves by mistyping their passwords when they do not remember the password. This problem can be quite costly for your organization, because locked out accounts will be unable to logon unless their accounts unlocks automatically after specific period of time or get unlocked by an administrator

It is a common question for administrators to find out where a user has been locked out. Well, you have secured your user account against password guessing attacks like brute-force but what can you do when a user gets locked out? In most cases the administrators are struggling to find the root cause of the lock out. Now I show you how this is pretty easy.

Firstly you need to understand that lockout events are stored in PDC emulator’s event viewer with 4740 event ID’s. So basically you have to filter your Security log for this specific event and go through all of them to check where a user has locked out. Unfortunately there is no built-in feature that helps you to filter for specific username, it means you have to go through all of the events and check one by one. But here comes the magic!

There is a nice Powershell script by Jason Walker (Perfect TechNet Boy!) which can be downloaded from here . It basically do all you want in a simple click! It finds the PDC emulator in your environment, connect to it, search for 4740 events and filter all those huge events according to the user accounts which you are looking for.

After downloading, copy the script in a folder in your PDC emulator. Open up a Powershell with ‘Run as administrator’ and then navigate to the folder containing the script. Now you have to make your script dot sourced. Just type the name with extension and drop a (.) at the very beginning of the sentence and hit Enter.

undefined

Now let us check a sample user lock out information. Use the cmdlet with –Identity parameter and type the samaccountname of the locked out user. Example:

Get-LockedOutLocation -Identity t.aghayari

After a while summary of report will appear. Check the LockedoutLocation and that is the place which you should start your investigations.

undefined

I have another article about investigating why the user account is locked out from a workstation which can be found here. Ju st as a note, Jason did a very good job about the script, so it is appreciated to rate his script if you find it useful.

Active Directory
  • (0)
  • (362)
Mahdi Tehrani

info@mahditehrani.ir

Leave a comment
Comments
Search
Categories
Concepts (4)
Group Policy (1)
Active Directory (13)
PowerShell (2)
Latest Posts

Why NTDS size is different on different Domain Controllers?

  • Post On 2018-05-28

Limit Active Directory user login to 1 session

  • Post On 2017-08-24

Protect your domain against WannaCry malware

  • Post On 2017-05-23

The auditor of auditors: 'LepideAuditor Suite'

  • Post On 2017-05-23

‘List Object Mode’ in Active Directory, a myth or future settings?

  • Post On 2017-04-23

Fix Group Policy error 1058

  • Post On 2016-04-22

Bulk change specific permissions for users

  • Post On 2015-04-23

Create Shadow Groups (Dynamic Groups) in Active Directory

  • Post On 2015-03-23

Manipulate delegation wizard in Active Directory

  • Post On 2014-10-22

Am I locked out? Where? How?

  • Post On 2014-10-22
!APP License
Copyright © 2023 TondarNet V1.0.0