Account lockout update. Ran the script and used the Netwrix tool. Found nothing and neither identified a workstation from which the lockouts were occurring. We wound up renaming one of the two accounts and then naming it back to the original name and this solved the problem. The other account just stopped locking out. I can't say if it was before or after renaming the second account.
Thank you all for your help. On Mon, Jul 24, 2017 at 1:26 PM, Steve Whitcher <[email protected]> wrote: > Here's a script I run when someone is getting locked out and doesn't know > why: > > https://gist.github.com/NeighborGeek/6be6e04324a7a483a41802924742ad51 > > I generally set $pcname to just a single DC, then run the script on that > DC. If you run it remotely or against multiple DC's it's much slower. > > But it will find the lockout events and list the relevant details, > including the computer that the lockout came from. That should definitely > help narrow things down. > > A few of the things I commonly discover causing unexplained lockouts: > > Did the lockout come from a computer other than the one the user is > currently working on? Maybe they used a different computer recently and > left it Locked instead of logging out? > > If it was from the same computer the user is on, did they just change > their password? Have they logged off and on at least once SINCE changing > the password? > > We've also had issues with Skype for Business locking out user accounts > for some reason... they get saved credentials or an old certificate or > something and try to authenticate with that. In that case, we can unlock > the user, have them log into windows, and they are still not locked out, > but as soon as skype4b loads and tries to log in, they become locked out. > Test by exiting the skype4b app, unlock the account, and then re-launch & > sign in to skype4b. > > > > On Mon, Jul 24, 2017 at 11:55 AM, CSSU NetAdmin <[email protected]> > wrote: > >> Thanks for the links. There are two accounts that are locking out >> constantly. There is no machine name associated with the attempt. Both >> accounts are regular users so wouldn't have been used to run services. >> >> On Mon, Jul 24, 2017 at 10:51 AM, Michael B. Smith <[email protected] >> > wrote: >> >>> Here are some resources: >>> >>> >>> >>> https://www.microsoft.com/en-us/download/details.aspx?id=18465 >>> >>> https://www.microsoft.com/en-us/download/details.aspx?id=15201 >>> >>> http://activedirectorypro.com/account-lockout-tool/ >>> >>> >>> >>> Regards, >>> >>> Michael B. >>> >>> @essentialexch >>> >>> >>> >>> *From:* [email protected] [mailto:[email protected] >>> orum.com] *On Behalf Of *CSSU NetAdmin >>> *Sent:* Monday, July 24, 2017 10:24 AM >>> *To:* [email protected] >>> *Subject:* [NTSysADM] Account Lockout issue >>> >>> >>> >>> We have a Windows 2012 R2 AD network. For reasons unknown, some Windows >>> logon accounts are randomly locking out. We can unlock them but they >>> immediately relock. The individuals are not trying to login, they don't >>> have accounts on phones, etc. The lockout is not appearing in the Security >>> event log. We did notice that there are many Windows Filtering Platform >>> blocked a packet (5152) events. We are not sure if this is related to the >>> issue. >>> >>> >>> >>> The lockout problem started on Friday last week. >>> >>> >>> >>> Thanks for any help! >>> >> >> >
