(I don’t know the answer to this yet, so this is just an dump of what I know.)
Customer reports that they’re Active Directory User account is being locked out 2->3 times a day.
- They have “admin” rights on their PC.
- They are using Microsoft SQL Management studio, which may/may not be triggering the account lock.
- Googling for some answers, hasn’t been successful. Here is some of what Google returned.
|LockoutStatus.exe||The LockoutStatus.exe displays information about a locked out account. It does this by gathering account lockout-specific information from Active Directory.|
|ALockout.dll||The ALockout.dll tool and the Appinit.reg script are included in the ALTools package. ALockout.dll is a logging tool that may help you determine the program or process that is sending the incorrect credentials in an account lockout scenario. The tool attaches itself to a variety of function calls that a process might use for authentication. The tool then saves information about the program or process that is making those calls into the Systemroot\Debug\Alockout.txt file
update 13 Sep 2012: sample log extract below.
|ALoInfo.exe||If account lockouts seem to happen most frequently after a user is forced to change their password, you may want to determine which users’ passwords are about to expire. You can use the ALoInfo.exe tool to display all user account names and the password age for those user accounts. This will allow you to use the ALockout.dll tool and other account lockout tools to set up the tools prior to the initial account lockout. You can also obtain a list of all local services and startup account information by using the ALoInfo.exe tool.|
|AcctInfo.dll||You can use the AcctInfo.dll tool to add new property pages to user objects in the Active Directory Users and Computers MMC Snap-in. You can use these property pages to help isolate and troubleshoot account lockouts and to reset a users password on a domain controller in that user’s local site.|
|EventCombMT.exe||You can use the EventCombMT.exe tool to gather specific events from event logs from several different computers into one central location. You can configure EventCombMT.exe to search for events and computers. Some specific search categories are built into the tool, such as account lockouts. Note that the account lockouts category is preconfigured to include events 529, 644, 675, 676, and 681.|
|NLParse||Because Netlogon log files may become more than 10 MB in size, you may want to parse the files for the information that you want to view. You can use the NLParse.exe tool to parse Netlogon log files for specific Netlogon return status codes.|
Alockout.txt log file (sample):
Thu Sep 13 14:14:06 2012, PID: 1712, Thread: 3424, Image C:\WINDOWS\system32\wbem\wmiprvse.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:17 2012, PID: 788, Thread: 792, Image winlogon.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:18 2012, PID: 852, Thread: 856, Image C:\WINDOWS\system32\lsass.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:18 2012, PID: 1036, Thread: 1040, Image C:\WINDOWS\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:19 2012, PID: 1584, Thread: 1588, Image C:\WINDOWS\system32\spoolsv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:21 2012, PID: 1808, Thread: 1844, Image C:\WINDOWS\system32\Drivers\trcboot.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:21 2012, PID: 1928, Thread: 1932, Image C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:21 2012, PID: 176, Thread: 172, Image C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:21 2012, PID: 312, Thread: 320, Image C:\Program Files\CA\eTrustITM\InoTask.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:21 2012, PID: 1148, Thread: 1200, Image C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:21 2012, PID: 1208, Thread: 1212, Image C:\Program Files\Java\jre1.6.0_30\bin\jqs.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Thu Sep 13 14:16:24 2012, PID: 344, Thread: 348, Image ppcl.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH