Active Directory Insights (Part 15) – Investigating locked out accounts

By / September 10, 2017

If you would like to read the other parts in this article series please go to: 

Many administrators of Active Directory environments make use of account lockout policies to help safeguard their directory information from malicious users. However, policies are of no use unless they are regularly reported upon and examined to evaluate their effectiveness and determine whether any unanticipated problems are occurring. To help us understand this subject better, I’ve asked Andrew Perchaluk, a Senior Systems Administrator at the University of Manitoba in Winnipeg, Canada to provide us with some insight and tips from his own experience managing Active Directory environments. Andrew is a husband, father, and dog lover who has been working in the Information Technology industry for almost 20 years and who enjoys sharing his experiences with others in the IT pro community. For more information about Andrew see his LinkedIn profile. You can also follow him on Twitter. Let’s now hear what Andrew has to say on this topic…

Why set up an Active Directory account lockout policy

I find (as you might too) that our jobs in IT have really shifted in the last few years and we’ve had to evolve to having a strong security centric mindset. I guess I should have seen this trend approaching years ago when I was setting up Active Directory as even back then I quickly learned the importance of setting up a domain account lockout policy and wanted to share my experience with others. Without having a domain account lockout policy configured you can leave your accounts open to brute force hacking attempts by malicious users, which depending on the size of your Active Directory and organization can be difficult to keep on top of. Beginning with Windows server 2003 domain controllers have been keeping track of login attempts.However once you have a policy enabled you will almost certainly run into issues with accounts being locked randomly, this can often be caused by:

  • A legitimate password reset has been done to an AD account and the result is that some device, service or application had the account and previous password saved which will now lockout the account until you can update the password there as well. (check Outlook, mobile devices, tablets, Wi-Fi connections, etc)
  • A malicious user is trying to brute force an account either internally via a system, possibly exposed to malware, or externally using public facing websites or services (i.e. email, RDP, etc)

How to set up an Active Directory account lockout policy

You can either use the Group Policy Management console or on one of your domain controllers under Administrative Tools go into the Local Security Policy, then Security Settings, and then Account Policies to perform this work. First you will need to enable an Audit policy on the domain controller if you have not already done so that event 4740 will be logged to the Security Event log. On a Domain Controller under Administrative Tools go into the Local Security Policy, then Security Settings, and then Audit Policy and make sure that “Audit Account Management” at least has Success enabled:

Image

Next browse on a Domain Controller under Administrative Tools go into the Local Security Policy, then Security Settings, and then Account Lockout Policy and configure the following 3 items:

  • Account lockout duration – I recommend 30 minutes but pick your preferred setting
  • Account lockout threshold – pick your preferred setting, we chose 50 invalid logon attempts
  • Reset account lockout counter after – pick your preferred setting, we chose 15 minutes

Image

How to monitor the Active Directory account lockouts occurring

Now that you have the policy configured you can begin monitoring. Lockout events are logged to the PDC operations master, so if you have multiple domain controllers you can open ADUC and go to the properties of your domain, then choose operations master and go to the PDC tab:

Image

Once you find the PDC operations master you can look for event ID 4740 in the Security event log on that Domain controller. A sample might look like this:

Image

From my experience it was difficult to search through the logs for these events every day so because of this we ended up writing a script to do it for us and then email us the report daily. Once we had the report we could investigate the accounts that were being locked and the computers or servers they were being locked from. The script we wrote emailed us a report daily like the format below (you can configure it to run as often as needed or run it manually):

 Image

PowerShell script that can be used to email the lockout report

Tweak the following script and schedule it to run daily (or preferred schedule) on the PDC operations master in your environment. It will contain the basic details from event ID 4740 to allow you to begin troubleshooting and take the necessary action:

Function SendLogs {
$AttachLog = @{
SmtpServer = "mail server"
From = 'email address'
To="email address"
Subject = "Event ID 4740 Lockout Report"
Body = "Here are the previous 24 hours of locked-out account logs."
attachments = $log
}
Send-MailMessage @AttachLog
}
cls
del C:\logs\lockout.log -ErrorAction SilentlyContinue
$log = "C:\logs\lockout.log"
$dateFmt = get-date
$row = $null
"Daily report generated at "+$dateFmt+"`r`n`r`n" | Out-File $log -Append -Encoding "ASCII"
Get-EventLog -logname security -after $dateFmt.adddays(-1) | where {$_.eventID -eq 4740} | foreach-Object {
$row = "" | select TimeLockedOut, AccountName, Computer
$row.TimeLockedOut = $_.TimeGenerated
$row.AccountName = $_.ReplacementStrings[0]
$row.Computer = $_.ReplacementStrings[1]
write-host $row
"$row `r`n" -replace ";","`r`n" -replace "TimeLockedOut"," Account Locked at:" -replace "AccountName","Account Name:" -replace "Computer","Computer:" -replace "@","" -replace "{","" -replace "}","" -replace "="," " | Out-File $log -Append -Encoding "ASCII"
}
if ($row) {SendLogs}else {"No events to process this time." | Out-File $log -Append -Encoding "ASCII"SendLogs}

 

Still got questions about Active Directory?

If you have any questions about domain controller hardware planning, the best place to ask them is the Active Directory Domain Services forum on TechNet. If you don’t get help that you need there, you can try sending your question to [email protected] so we can publish it in the Ask Our Readers section of our newsletter and see whether any of the almost 100,000 IT pro subscribers of our newsletter have any suggestions concerning your problem.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

About The Author

Mitch Tulloch is Senior Editor of both WServerNews and FitITproNews and is a widely recognized expert on Windows Server and cloud technologies. He has written more than a thousand articles and has authored or been series editor for over 50 books for Microsoft Press and other publishers. Mitch has also been a twelve-time recipient of the Microsoft Most Valuable Professional (MVP) award in the technical category of Cloud and Datacenter Management. He currently runs an IT content development business in Winnipeg, Canada.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top