How to see where Domain Account is being locked out?

[SHADOWSTRIKE1]

Hey guys,

We have a user account in our active directory who keeps getting locked out every couple hours. Our company uses many different servers, and on our production floor there are hundreds of PCs. So we're not sure where his account is logged in and causing the issue. I can see that it is locked out due to a bad password. So I'm assuming it's trying to perform an automated task, but using an outdated password.

The issue is that we are not sure how to track down what machine is causing the issue. Is there some software out there that we could load onto our Domain Controller and monitor what machine the account is being logged into? Or is there some way to see this that I'm unfamiliar with?

 

[BadAsAl]

I am no expert but was given lockoutstatus.exe from our network admin. Might help you nail down the server.

 

[ss202sl]

https://www.microsoft.com/en-us/download/details.aspx?id=15201

This will tel you what domain controller to look at
You would have to look st the log on the DC to find out exactly where the logon came from - but this would give you the DC, and the time

 

[SHADOWSTRIKE1]

We only have a single domain controller, so that wouldn't be a problem to find... I'm just not entirely sure where to look to see where the account was being logged in.

 

[ex_bubblehead]

Most common cause is a cell phone set up to check e-mail that didn't get its configuration updated when the user changed his/her password.

 

[ss202sl]

+++1 on the cell phone and email.

The lockout status shows when the lockout occurred, then look in the logs on the DC at that time, and you can find the entry showing where the user logged into from. just be aware that it may show a server(like the mail server) if the user was logging onto an application.

 

[SHADOWSTRIKE1]

I was able to determine that a cell phone wasn't the case... he hasn't used his cell phone to log into his work email at all. So we're still trying to figure out what the cause is.

Does anyone know of an easy process of going about this?

 

[ss202sl]

Use the lockout statue tool. This will give you a domain controller that showed a bad password, and a time.
Then go to that domain controller and look in the security log (at the time) and look for the audit failure. You should be able to determine the username and an IP address where the logon attempt came from.