5 min read
Symptom
Account Lockouts in Active Directory
Additional Information
“User X” is getting locked out and Security Event ID 4740 are logged on respective servers with detailed information.
Reason
The common causes for account lockouts are:
- End-user mistake (typing a wrong username or password)
- Programs with cached credentials or active threads that retain old credentials
- Service accounts passwords cached by the service control manager
- User is logged in on multiple computers or disconnected remote terminal server sessions
- Scheduled tasks
- Persistent drive mappings
- Active Directory delayed replication
Troubleshooting Steps Using EventTracker
Here we are going to look for Event ID 4740. This is the security event that is logged whenever an account gets locked.
- Login to EventTracker console:
- Select search on the menu bar
- Click on advanced search
- On the Advanced Log Search Window fill in the following details:
- Enter the result limit in numbers, here 0 means unlimited.
- Select the date, time range for the logs to be searched.
- Select all the domain controllers in the required domain.
- Click on the inverted triangle, make the search for Event ID: 4740 as shown below.
Once done hit search at the bottom.
You can see the details below. If you want to get more information about a particular log, click on the + sign
Below shows more information about this event.
Now, let’s take a closer look at 4740 event. This can help us troubleshoot this issue.
| Log Name | Security |
| Source | Microsoft-Windows-Security-Auditing |
| Date | MM/DD/YYYY HH:MM:SS PM |
| Event ID | 4740 |
| Task Category | User Account Management |
| Level | Information |
| Keywords | Audit Success |
| User | N/A |
| Computer | COMPANY-SVRDC1 |
| Description | A user account was locked out. |
| Subject: | |
|---|---|
| Security ID | NT AUTHORITYSYSTEM |
| Account Name | COMPANY-SVRDC1$ |
| Account Domain | TOONS |
| Logon ID | 0x3E7 |
| Account That Was Locked Out: | |
| Security ID | S-1-5-21-1135150828-2109348461-2108243693-1608 |
| Account Name | demouser |
| Additional Information: | |
| Caller Computer Name | DEMOSERVER1 |
| Field | My Description |
|---|---|
| DateTime | This shows Date/Time of event origination in GMT format. |
| Source | This shows the Name of an Application or System Service originating the event. |
| Type | This shows Warning, Information, Error, Success, Failure, etc. |
| User | This is the user/service/computer initiating event. (Name with a $ means it’s a computer/system initiated event. |
| Computer | This shows the name of server workstation where event was logged. |
| EventID | Numerical ID of event. |
| Description | This contains the entire unparsed event message. |
| Log Name | The name of the event log (e.g. Application, Security, System, etc.) |
| Task Category | A name for a subclass of events within the same Event Source. |
| Level | Warning, Information, Error, etc. |
| Keywords | Audit Success, Audit Failure, Classic, Connection etc. |
| Category | This shows the name for an aggregative event class, corresponding to the similar ones present in Windows 2003 version. |
| Subject: Account Name | Name of the account that initiated the action. |
| Subject: Account Domain | Name of the domain that account initiating the action belongs to. |
| Subject: Logon ID | A number that uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session. |
| Subject: Security ID | SID of the locked out user |
| Account Name | Account That Was Locked Out |
| Caller Computer Name | This is the computer where the logon attempts occurred |
Resolution
Logon into the computer mentioned on “Caller Computer Name” (DEMOSERVER1) and look for one of the aforementioned reasons that produces the problem.
To understand further on how to resolve issues present on “Caller Computer Name” (DEMOSERVER1) let us look into the different logon types.
| LogonType Code | 0 |
| LogonType Value | System |
| LogonType Meaning | Used only by the System account. |
| Resolution | No evidence so far seen that can contribute towards account lock out |
| LogonType Code | 2 |
| LogonType Value | Interactive |
| LogonType Meaning | A user logged on to this computer. |
| Resolution | User has typed wrong password on the console |
| LogonType Code | 3 |
| LogonType Value | Network |
| LogonType Meaning | A user or computer logged on to this computer from the network. |
| Resolution | User has typed wrong password from the network. It can be a connection from Mobile Phone/ Network Shares etc. |
| LogonType Code | 4 |
| LogonType Value | Batch |
| LogonType Meaning | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| Resolution | Batch file has an expired or wrong password |
| LogonType Code | 5 |
| LogonType Value | Service |
| LogonType Meaning | A service was started by the Service Control Manager. |
| Resolution | Service is configured with a wrong password |
| LogonType Code | 6 |
| LogonType Value | Proxy |
| LogonType Meaning | Indicates a proxy-type logon. |
| Resolution | No evidence so far seen that can contribute towards account lock out |
| LogonType Code | 7 |
| LogonType Value | Unlock |
| LogonType Meaning | This workstation was unlocked. |
| Resolution | User has typed a wrong password on a password protected screen saver |
| LogonType Code | 8 |
| LogonType Value | NetworkCleartext |
| LogonType Meaning | A user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| Resolution | No evidence so far seen that can contribute towards account lock out |
| LogonType Code | 9 |
| LogonType Value | NewCredentials |
| LogonType Meaning | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| Resolution | User initiated an application using the RunAs command, but with wrong password. |
| LogonType Code | 10 |
| LogonType Value | RemoteInteractive |
| LogonType Meaning | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| Resolution | User has typed wrong password while logging in to this computer remotely using Terminal Services or Remote Desktop |
| LogonType Code | 11 |
| LogonType Value | CachedInteractive |
| LogonType Meaning | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| Resolution | No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case. |
| LogonType Code | 12 |
| LogonType Value | CachedRemoteInteractive |
| LogonType Meaning | Same as RemoteInteractive. This is used for internal auditing. |
| Resolution | No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case. |
| LogonType Code | 13 |
| LogonType Value | CachedUnlock |
| LogonType Meaning | This workstation was unlocked with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
| Resolution | No evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case. |
How to identify the logon type for this locked out account?
Just like how it is shown earlier for Event ID 4740, do a log search for Event ID 4625 using EventTracker, and check the details.
| Log Name | Security |
| Source | Microsoft-Windows-Security-Auditing |
| Date | date |
| Event ID | 4625 |
| Task Category | Logon |
| Level | Information |
| Keywords | Audit Failure |
| User | N/A |
| Computer | COMPANY-SVRDC1 |
| Description | An account failed to log on. |
| Subject: | |
|---|---|
| Security ID | SYSTEM |
| Account Name | COMPANY-SVRDC1$ |
| Account Domain | TOONS |
| Logon ID | ID |
| Logon Type | 7 |
| Account For Which Logon Failed: | |
| Security ID | NULL SID |
| Account Name | demouser |
| Account Domain | TOONS |
| Failure Information: | |
| Failure Reason | An Error occurred during Logon. |
| Status | 0xc000006d |
| Sub Status | 0xc0000380 |
| Process Information: | |
| Caller Process ID | 0x384 |
| Caller Process Name | C:WindowsSystem32winlogon.exe |
| Network Information: | |
| Workstation Name | computer name |
| Source Network Address | IP address |
| Source Port | 0 |
| Detailed Authentication Information: | |
| Logon Process | User32 |
| Authentication Package | Negotiate |
| Transited Services | – |
| Package Name (NTLM only) | – |
| Key Length | 0 |
Logon Type 7 says User has typed a wrong password on a password protected screen saver.
Now we understand what reason to target and how to target the same.
Applies to
Microsoft Windows Servers
Microsoft Windows Desktops
Contributors
Ashwin Venugopal, Subject Matter Expert at EventTracker
Satheesh Balaji, Security Analyst at EventTracker
