Symptom

Account Lockouts in Active Directory

Additional Information

“User X” is getting locked out and Security Event ID 4740 are logged on respective servers with detailed information.

Reason

The common causes for account lockouts are:

• End-user mistake (typing a wrong username or password)
• Programs with cached credentials or active threads that retain old credentials
• Service accounts passwords cached by the service control manager
• User is logged in on multiple computers or disconnected remote terminal server sessions
• Scheduled tasks
• Persistent drive mappings
• Active Directory delayed replication

Troubleshooting Steps Using EventTracker

Here we are going to look for Event ID 4740. This is the security event that is logged whenever an account gets locked.

1. Login to EventTracker console:
2. Select search on the menu bar
3. Click on advanced search
4. On the Advanced Log Search Window fill in the following details:

• Enter the result limit in numbers, here 0 means unlimited.
• Select the date, time range for the logs to be searched.
• Select all the domain controllers in the required domain.
• Click on the inverted triangle, make the search for Event ID: 4740 as shown below.

Once done hit search at the bottom.

You can see the details below. If you want to get more information about a particular log, click on the + sign

Below shows more information about this event.

Now, let’s take a closer look at 4740 event. This can help us troubleshoot this issue.

Log Name	Security
Source	Microsoft-Windows-Security-Auditing
Date	MM/DD/YYYY HH:MM:SS PM
Event ID	4740
Task Category	User Account Management
Level	Information
Keywords	Audit Success
User	N/A
Computer	COMPANY-SVRDC1
Description	A user account was locked out.
Subject:
Security ID	NT AUTHORITYSYSTEM
Account Name	COMPANY-SVRDC1$
Account Domain	TOONS
Logon ID	0x3E7
Account That Was Locked Out:
Security ID	S-1-5-21-1135150828-2109348461-2108243693-1608
Account Name	demouser
Additional Information:
Caller Computer Name	DEMOSERVER1

Field	My Description
DateTime	This shows Date/Time of event origination in GMT format.
Source	This shows the Name of an Application or System Service originating the event.
Type	This shows Warning, Information, Error, Success, Failure, etc.
User	This is the user/service/computer initiating event. (Name with a $ means it’s a computer/system initiated event.
Computer	This shows the name of server workstation where event was logged.
EventID	Numerical ID of event.
Description	This contains the entire unparsed event message.
Log Name	The name of the event log (e.g. Application, Security, System, etc.)
Task Category	A name for a subclass of events within the same Event Source.
Level	Warning, Information, Error, etc.
Keywords	Audit Success, Audit Failure, Classic, Connection etc.
Category	This shows the name for an aggregative event class, corresponding to the similar ones present in Windows 2003 version.
Subject: Account Name	Name of the account that initiated the action.
Subject: Account Domain	Name of the domain that account initiating the action belongs to.
Subject: Logon ID	A number that uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.
Subject: Security ID	SID of the locked out user
Account Name	Account That Was Locked Out
Caller Computer Name	This is the computer where the logon attempts occurred

Resolution

Logon into the computer mentioned on “Caller Computer Name”  (DEMOSERVER1) and look for one of the aforementioned reasons that produces the problem.

To understand further on how to resolve issues present on “Caller Computer Name”  (DEMOSERVER1) let us look into the different logon types.

LogonType Code	0
LogonType Value	System
LogonType Meaning	Used only by the System account.
Resolution	No evidence so far seen that can contribute towards account lock out

LogonType Code	2
LogonType Value	Interactive
LogonType Meaning	A user logged on to this computer.
Resolution	User has typed wrong password on the console

LogonType Code	3
LogonType Value	Network
LogonType Meaning	A user or computer logged on to this computer from the network.
Resolution	User has typed wrong password from the network. It can be a connection from Mobile Phone/ Network Shares etc.

LogonType Code	4
LogonType Value	Batch
LogonType Meaning	Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
Resolution	Batch file has an expired or wrong password

LogonType Code	5
LogonType Value	Service
LogonType Meaning	A service was started by the Service Control Manager.
Resolution	Service is configured with a wrong password

LogonType Code	6
LogonType Value	Proxy
LogonType Meaning	Indicates a proxy-type logon.
Resolution	No evidence so far seen that can contribute towards account lock out

LogonType Code	7
LogonType Value	Unlock
LogonType Meaning	This workstation was unlocked.
Resolution	User has typed a wrong password on a password protected screen saver

LogonType Code	8
LogonType Value	NetworkCleartext
LogonType Meaning	A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
Resolution	No evidence so far seen that can contribute towards account lock out

LogonType Code	9
LogonType Value	NewCredentials
LogonType Meaning	A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
Resolution	User initiated an application using the RunAs command, but with wrong password.

LogonType Code	10
LogonType Value	RemoteInteractive
LogonType Meaning	A user logged on to this computer remotely using Terminal Services or Remote Desktop.
Resolution	User has typed wrong password while logging in to this computer remotely using Terminal Services or Remote Desktop

LogonType Code	11
LogonType Value	CachedInteractive
LogonType Meaning	A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Resolution	No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.

LogonType Code	12
LogonType Value	CachedRemoteInteractive
LogonType Meaning	Same as RemoteInteractive. This is used for internal auditing.
Resolution	No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.

LogonType Code	13
LogonType Value	CachedUnlock
LogonType Meaning	This workstation was unlocked with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Resolution	No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.

How to identify the logon type for this locked out account?

Just like how it is shown earlier for Event ID 4740, do a log search for Event ID 4625 using EventTracker, and check the details.

Log Name	Security
Source	Microsoft-Windows-Security-Auditing
Date	date
Event ID	4625
Task Category	Logon
Level	Information
Keywords	Audit Failure
User	N/A
Computer	COMPANY-SVRDC1
Description	An account failed to log on.
Subject:
Security ID	SYSTEM
Account Name	COMPANY-SVRDC1$
Account Domain	TOONS
Logon ID	ID
Logon Type	7
Account For Which Logon Failed:
Security ID	NULL SID
Account Name	demouser
Account Domain	TOONS
Failure Information:
Failure Reason	An Error occurred during Logon.
Status	0xc000006d
Sub Status	0xc0000380
Process Information:
Caller Process ID	0x384
Caller Process Name	C:WindowsSystem32winlogon.exe
Network Information:
Workstation Name	computer name
Source Network Address	IP address
Source Port	0
Detailed Authentication Information:
Logon Process	User32
Authentication Package	Negotiate
Transited Services	–
Package Name (NTLM only)	–
Key Length	0

Logon Type 7 says User has typed a wrong password on a password protected screen saver.

Now we understand what reason to target and how to target the same.

Applies to

Microsoft Windows Servers
Microsoft Windows Desktops

Contributors

Ashwin Venugopal, Subject Matter Expert at EventTracker
Satheesh Balaji, Security Analyst at EventTracker