Ad Account lockout error (not finished)

= = = Problem Description = = =

User response His account is always locked, initially locked for about one hours, and is now reduced to less than 30 seconds.

= = = Cause Analysis = = =

Cause of account lockout

1. See the user changed the password two weeks ago through PowerShell, which is also the fuse that caused the lock.

2. The old password credentials remain on the other server or on the client and are trying to do something

3. The user is using a computer that has a virus or someone maliciously tries the password

He's the only one in here. Can rule out the possibility of a virus, malicious attempts may not be locked in any time period, you can also exclude

The attachment uploads a tool to view the account lockout, installs it on the DC, enters the locked account user name password to view the user lock information, the password last modification time and so on information

= = = Event View = = =

The default log does not have any reference value for us to view the user lock, need to turn on account login audit and account management audit

To turn on a DC with the PDC operations master, Netdom the query FSMO to see which DC the PDC host is on

1) Both local policy and Group Policy can be set, the end result is to turn on the local audit policy, set the options in the diagram

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/83/24/wKioL1drl5Pyp1t_AACKNJYBm2o746.png "title=" Turn on the audit policy. png "alt=" Wkiol1drl5pyp1t_aacknjybm2o746.png "/>

2) You must refresh Group Policy and then use auditpol/get/category:* to see if the audit policy is in effect

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/83/25/wKiom1drm8Ogsv0gAAA5vQ-V_cU507.png "title=" Turn on the local audit policy. png "alt=" Wkiom1drm8ogsv0gaaa5vq-v_cu507.png "/>

3) Wait for the problem to reappear after viewing the log, event ID 4740 is the account lockout log

It can be seen that the user L70082, the lock source is a computer named ADMIN-PC, this is not a computer locked user logon

The following is a description of the event ID of the account Unlock and credential verification, drawings

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/83/24/wKioL1drnReSreECAABxnFYWBiY609.png "title=" 4740. PNG "alt=" Wkiol1drnresreecaabxnfywbiy609.png "/>

account Unlocking , event ID4767, including automatic unlocking after the administrator has unlocked and locked the time manually

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/83/26/wKiom1drpC-D5jAhAAAnsHVCcH4189.png "title=" Unlocks the user's audit log. png "alt=" Wkiom1drpc-d5jahaaanshvcch4189.png "/>

User Credential Validation , event ID4776, this event and 4770 are especially important to troubleshoot issues that primarily collect these two types of logs

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M01/83/26/wKiom1drpKzC8FCpAAA7HMiZe8s133.png "title=" 4776 credential validation. png "alt=" Wkiom1drpkzc8fcpaaa7hmize8s133.png "/>

= = = Problem Troubleshooting-Troubleshooting issues pc===

1) Then find the computer named admin-pc in the Domain OU,

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/83/25/wKioL1drngHCQQXwAAA-YwHJKQ4481.png "title=" Find the computer. png "alt=" Wkiol1drnghcqqxwaaa-ywhjkq4481.png "/>

2) Use the ping command to view the IP address of the computer

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/83/25/wKioL1drnrDjbWwfAAA3ItfC54M722.png "title=" IP address. png "alt=" Wkiol1drnrdjbwwfaaa3itfc54m722.png "/>

3) Find the network related personnel to find out what the department of the PC is in use, instant Messaging found department personnel, began to troubleshoot problems, no abnormal services and processes, the task plan does not have and locked account related tasks

Turn on the local audit policy on the user's computer, wait for the problem to reappear and crawl the log

Refresh Group Policy,auditpol/get/category:* view policy effect results

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/83/25/wKioL1droZvRkOuPAADQmF1fInU610.png "title=" user local audit . PNG "alt=" Wkiol1drozvrkoupaadqmf1finu610.png "/>

4) Turn on logon events: you can see whether users other than the native user are logged in this calculation

Turn on process tracking: Record the start and end of each operation of a user's computer, the account name used and the file being called

But the results did not reveal any clues to the L70082 (locked account)

5) directly when, get the user's consent, after work to shut down their computer to see if there will be account lockout phenomenon

After a minute, the account is still locked, the source or admin-pc, at this time has not been ping to the target

6) What is going on, the problem is still under investigation, do not walk away ...

Ad Account lockout error (not finished)