Tracking down source of account lockout Expand / Collapse
Author
Message
Posted 7/11/2016 11:19:53 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/11/2016 11:06:16 AM
Posts: 2, Visits: 0
I have a strange and irritating account lockout that I can't track down. The lockouts seem completely random and seem to happen more when the user is logged in to the office but I can see that bad attempts have been made even when the user is not in the office, not logged in to any (known) machine. The only real evidence I have is the change in the user attribute "badpasswordtime" and the 4740 event. I have all authentication logging turned on, on PDC. Even more strange is that the caller_computer_name in the log is a server, DirSync server. The user account does not have access to login to this server, never has had.
Post #5233
Posted 7/24/2016 3:14:04 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 223, Visits: 0
Check the time on the users host to ensure that it is synced correctly. What is the function of the server "DirSync"?
Post #6239
Posted 7/26/2016 1:26:46 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 7/11/2016 11:06:16 AM
Posts: 2, Visits: 0
The time of the servers is in sync, within a second. The DirSync server runs AAD Connect, syncing AD to Azure. The account with this issue does not sync to Azure.
Every 4771 event I see has an event code of 0x12, after the account is locked out. I'm running splunk, collecting logs from all DCs and the server in question. I must need additional logging turned on to capture the actual bad password attempt but to this point the only events I see are the 4740 event when the account is locked out and then 4771 0x12 events while the account is locked out.
Post #6243
Posted 8/16/2016 8:18:27 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 223, Visits: 0
Does DirSync handle authentication on behalf of any applications in your environment? What is the function of that server?
Post #6250
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:55am