How many account lockouts do you deal with every day? Troubleshooting account lockouts has always been an IT admin’s daily task: either employees forget their passwords or accounts lockout due to a significant increase in authentication requests on domain controllers. On top of that, account lockouts can also be a sign of the Conficker virus (also known as Downup, Downadup or Kido), which performs brute-force attacks against accounts in a network, or of a password change on a service account.
Here is a list of free tools that can help you quicker investigate the root cause of an account lockout and prevent decreases in productivity:
Tool #1. Netwrix Account Lockout Examiner
This is a free tool that helps IT staff identify lockout root causes in a single keystroke. The freeware enables you to do the following:
- Identify root causes of lockouts. The tool gets you to the root of the problem in a single click, whether it’s improperly mapped network drives, services or scheduled tasks running under stale credentials, or an outdated password saved on a mobile device
- Minimize troubleshooting time. The tool helps you slash troubleshooting time by 90% with easy root cause investigation. It allows to find even the most complex lockout reasons in minutes so you know exactly what needs to be fixed.
- Reduce the pressure on your help desk. The tool empowers IT team to quickly troubleshoot user issues, and minimize business downtime whenever a service account from a critical app or a domain controller gets locked out.
Tool #2. Account Lockout Status tools
This is a set of tools Microsoft offers to help you with account lockout troubleshooting:
- exe collects and filters events from the event logs of domain controllers. This tool has a built-in search for account lockouts. It gathers the event IDs related to a certain account lockout in a separate text file.
- exe examines all DCs in a domain, letting you know when the target account last locked out and from which DC. In addition, it provides the locked-out account’s current status and the number of bad password attempts.
- Netlogon logging is used to track Netlogon and NT LAN Manager (NTLM) events. Enabling Netlogon logging on all DCs is an effective way to isolate a locked-out account and see where the account is being locked out. Although Netlogon logging isn’t part of the account lockout and management tools, NLParse.exe is used to parse the Netlogon logs, and NLParse.exe is one of the account lockout tools.
- Acctinfo exposes more properties in ADUC (Active Directory Users and Computers) (e.g., last logon and password expires). Specifically, with this add-on, you get an extra tab in ADUC called additional account info that helps isolate and troubleshoot account lockouts and change a user’s password on a domain controller on that user’s site.
Tool #3. AD Lockouts
This simple utility tries to track the origin of Active Directory bad password attempts and lockouts. It can search each domain/domain controller for bad password attempts to access an account. It will then parse any related events on each domain controller and work out where the origin of the lockout came from. After that, it analyzes each machine and outputs and the common causes of account lockouts that are present (e.g., mapped drives, old rdp sessions, scheduled tasks).
Tool #4. PowerShell
Using the following PowerShell script, you can easily filter the event log for events that are related to a certain account and try to figure out what caused its lockout:
Get-EventLog -LogName Security | ?{$_.message -like "*locked*USERNAME*"} | fl -property *
You can also use Get-UserLockoutStatus function to troubleshoot persistent account lockout problems. The function searches all domain controllers for a user in a domain for account lockout status: bad password count, last bad password time, and when the password was set last. You can find the full code here.
Tool #5. N/A
Actually I couldn’t find the 5th free tool; my bad. However, there are some paid tools such as the Manage Engine and Jiji account lockout tools. Algoware AD tool didn’t work in my test environment, so I have no clue what it is actually capable of doing. Maybe you can recommend one? Which account lockout troubleshooting free tool do you use?
Discover more free tools for IT admins in our recent article.
