|
|
Forum Newbie
      
Group: Forum Members
Last Login: 7/11/2016 11:06:16 AM
Posts: 2,
Visits: 0
|
|
I have a strange and irritating account lockout that I can't track down. The lockouts seem completely random and seem to happen more when the user is logged in to the office but I can see that bad attempts have been made even when the user is not in the office, not logged in to any (known) machine. The only real evidence I have is the change in the user attribute "badpasswordtime" and the 4740 event. I have all authentication logging turned on, on PDC. Even more strange is that the caller_computer_name in the log is a server, DirSync server. The user account does not have access to login to this server, never has had.
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
Check the time on the users host to ensure that it is synced correctly. What is the function of the server "DirSync"?
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 7/11/2016 11:06:16 AM
Posts: 2,
Visits: 0
|
|
The time of the servers is in sync, within a second. The DirSync server runs AAD Connect, syncing AD to Azure. The account with this issue does not sync to Azure.
Every 4771 event I see has an event code of 0x12, after the account is locked out. I'm running splunk, collecting logs from all DCs and the server in question. I must need additional logging turned on to capture the actual bad password attempt but to this point the only events I see are the 4740 event when the account is locked out and then 4771 0x12 events while the account is locked out.
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
Does DirSync handle authentication on behalf of any applications in your environment? What is the function of that server?
|
|
|
|