If you enable auditing of account management in Domain Controller Security
Policy and Domain Security Policy, account management for Event ID 644 will
be recorded when the account is locked out. You can then use Event Comb to
search for those events on domain controllers and domain computers to find
those events and it should help you track down the computer that is
initiating the lockout. Another thing you could try is to enable netlogon
logging and then check the netlogon log on the domain controller for failed
logons tracing back to the offending computer via transitive logon. Once you
find the problem computers you will have to see what the cause is. Usually
it is due to a user being logged onto multiple computers [including a
Terminal Services logon] , cached application credentials, stored user
credential for Windows XP, persistent mapped drives, Scheduled Tasks, or a
service using the users domain credentials [probably not very likely]. The
links below will help. Note that MS recommends that the account lockout
threshold be no less than ten bad attempts assuming you enforce strong
passwords on the domain. --- Steve
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
http://www.microsoft.com/downloads/...9c-91f3-4e63-8629-b999adde0b9e&DisplayLang=en
Wayne Gore said:
Hi
In our network we have about 40 domain controllers spread out on 35
different sites. An IS user just contacted me and said that after he
changed
his password, his account was locking out a couple of times per day.
How can I find the source where the account is being locked out?
Regards
Wayne
