5 min read

Symptom

Account Lockouts in Active Directory

Additional Information

“User X” is getting locked out and Security Event ID 4740 are logged on respective servers with detailed information.

Reason

The common causes for account lockouts are:

  • End-user mistake (typing a wrong username or password)
  • Programs with cached credentials or active threads that retain old credentials
  • Service accounts passwords cached by the service control manager
  • User is logged in on multiple computers or disconnected remote terminal server sessions
  • Scheduled tasks
  • Persistent drive mappings
  • Active Directory delayed replication

Troubleshooting Steps Using EventTracker

Here we are going to look for Event ID 4740. This is the security event that is logged whenever an account gets locked.

  1. Login to EventTracker console:
  2. Select search on the menu bar
  3. Click on advanced search
  4. On the Advanced Log Search Window fill in the following details:
  • Enter the result limit in numbers, here 0 means unlimited.
  • Select the date, time range for the logs to be searched.
  • Select all the domain controllers in the required domain.
  • Click on the inverted triangle, make the search for Event ID: 4740 as shown below.

Once done hit search at the bottom.

You can see the details below. If you want to get more information about a particular log, click on the + sign

Below shows more information about this event.

Now, let’s take a closer look at 4740 event. This can help us troubleshoot this issue.

Log NameSecurity
SourceMicrosoft-Windows-Security-Auditing
DateMM/DD/YYYY HH:MM:SS PM
Event ID4740
Task CategoryUser Account Management
LevelInformation
KeywordsAudit Success
UserN/A
ComputerCOMPANY-SVRDC1
DescriptionA user account was locked out.
Subject:
Security IDNT AUTHORITYSYSTEM
Account NameCOMPANY-SVRDC1$
Account DomainTOONS
Logon ID0x3E7
Account That Was Locked Out:
Security IDS-1-5-21-1135150828-2109348461-2108243693-1608
Account Namedemouser
Additional Information:
Caller Computer NameDEMOSERVER1
FieldMy Description
DateTimeThis shows Date/Time of event origination in GMT format.
SourceThis shows the Name of an Application or System Service originating the event.
TypeThis shows Warning, Information, Error, Success, Failure, etc.
UserThis is the user/service/computer initiating event. (Name with a $ means it’s a computer/system initiated event.
ComputerThis shows the name of server workstation where event was logged.
EventIDNumerical ID of event.
DescriptionThis contains the entire unparsed event message.
Log NameThe name of the event log (e.g. Application, Security, System, etc.)
Task CategoryA name for a subclass of events within the same Event Source.
LevelWarning, Information, Error, etc.
KeywordsAudit Success, Audit Failure, Classic, Connection etc.
CategoryThis shows the name for an aggregative event class, corresponding to the similar ones present in Windows 2003 version.
Subject: Account NameName of the account that initiated the action.
Subject: Account DomainName of the domain that account initiating the action belongs to.
Subject: Logon IDA number that uniquely identifying the logon session of the user initiating action. This number can be used to correlate all user actions within one logon session.
Subject: Security IDSID of the locked out user
Account NameAccount That Was Locked Out
Caller Computer NameThis is the computer where the logon attempts occurred

Resolution

Logon into the computer mentioned on “Caller Computer Name”  (DEMOSERVER1) and look for one of the aforementioned reasons that produces the problem.

To understand further on how to resolve issues present on “Caller Computer Name”  (DEMOSERVER1) let us look into the different logon types.

LogonType Code0
LogonType ValueSystem
LogonType MeaningUsed only by the System account.
ResolutionNo evidence so far seen that can contribute towards account lock out
LogonType Code2
LogonType ValueInteractive
LogonType MeaningA user logged on to this computer.
ResolutionUser has typed wrong password on the console
LogonType Code3
LogonType ValueNetwork
LogonType MeaningA user or computer logged on to this computer from the network.
ResolutionUser has typed wrong password from the network. It can be a connection from Mobile Phone/ Network Shares etc.
LogonType Code4
LogonType ValueBatch
LogonType MeaningBatch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
ResolutionBatch file has an expired or wrong password
LogonType Code5
LogonType ValueService
LogonType MeaningA service was started by the Service Control Manager.
ResolutionService is configured with a wrong password
LogonType Code6
LogonType ValueProxy
LogonType MeaningIndicates a proxy-type logon.
ResolutionNo evidence so far seen that can contribute towards account lock out
LogonType Code7
LogonType ValueUnlock
LogonType MeaningThis workstation was unlocked.
ResolutionUser has typed a wrong password on a password protected screen saver
LogonType Code8
LogonType ValueNetworkCleartext
LogonType MeaningA user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
ResolutionNo evidence so far seen that can contribute towards account lock out
LogonType Code9
LogonType ValueNewCredentials
LogonType MeaningA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
ResolutionUser initiated an application using the RunAs command, but with wrong password.
LogonType Code10
LogonType ValueRemoteInteractive
LogonType MeaningA user logged on to this computer remotely using Terminal Services or Remote Desktop.
ResolutionUser has typed wrong password while logging in to this computer remotely using Terminal Services or Remote Desktop
LogonType Code11
LogonType ValueCachedInteractive
LogonType MeaningA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
ResolutionNo evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.
LogonType Code12
LogonType ValueCachedRemoteInteractive
LogonType MeaningSame as RemoteInteractive. This is used for internal auditing.
ResolutionNo evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.
LogonType Code13
LogonType ValueCachedUnlock
LogonType MeaningThis workstation was unlocked with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
ResolutionNo evidence so far seen that can contribute towards account lock out as domain controller is never contacted in this case.

How to identify the logon type for this locked out account?

Just like how it is shown earlier for Event ID 4740, do a log search for Event ID 4625 using EventTracker, and check the details.

Log NameSecurity
SourceMicrosoft-Windows-Security-Auditing
Datedate
Event ID4625
Task CategoryLogon
LevelInformation
KeywordsAudit Failure
UserN/A
ComputerCOMPANY-SVRDC1
DescriptionAn account failed to log on.
Subject:
Security IDSYSTEM
Account NameCOMPANY-SVRDC1$
Account DomainTOONS
Logon IDID
Logon Type7
Account For Which Logon Failed:
Security IDNULL SID
Account Namedemouser
Account DomainTOONS
Failure Information:
Failure ReasonAn Error occurred during Logon.
Status0xc000006d
Sub Status0xc0000380
Process Information:
Caller Process ID0x384
Caller Process NameC:WindowsSystem32winlogon.exe
Network Information:
Workstation Namecomputer name
Source Network AddressIP address
Source Port0
Detailed Authentication Information:
Logon ProcessUser32
Authentication PackageNegotiate
Transited Services
Package Name (NTLM only)
Key Length0

Logon Type 7 says User has typed a wrong password on a password protected screen saver.

Now we understand what reason to target and how to target the same.

Applies to

Microsoft Windows Servers
Microsoft Windows Desktops

Contributors

Ashwin Venugopal, Subject Matter Expert at EventTracker
Satheesh Balaji, Security Analyst at EventTracker