Share via

Account lock out source application

Anonymous
2024-03-19T17:49:08+00:00

Hello, we have an account that keeps getting locked out. We know the machine that is doing it but can't figure out which application on the machine is trying to login with bad password.

Does anyone know how to figure out which application is repeatedly using bad passwords every second? We scanned for virus/edr no luck.

Windows for business Windows Server Directory services Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-03-20T07:54:29+00:00

    Hi Michael Ozorowsky,

    Thank you for posting in the Microsoft Community Forum.

    When dealing with an account repeatedly getting locked out due to bad password attempts, there are several steps you can take to identify the application or process responsible:

    1. **Event Viewer**: Check the security event logs on the domain controller for Event ID 4625 (Failed Logon) associated with the locked out account. This event should include information about the source IP address, hostname, and process name (if available) of the machine generating the failed logon attempts.
    2. **Netlogon Logging**: Enable Netlogon logging on the domain controller to capture additional information about authentication requests. This can provide more detailed insights into the source of the failed logon attempts.
    3. **Account Lockout Tools**: Utilize Microsoft's Account Lockout and Management Tools, such as LockoutStatus.exe and EventCombMT.exe, to analyze account lockout events across domain controllers and identify the source machine.
    4. **Process Monitor**: Install and run Process Monitor (procmon) on the machine generating the failed logon attempts. Filter the captured events to include only network activity (e.g., TCP and UDP) and look for processes repeatedly attempting to connect to network resources with incorrect credentials.
    5. **Network Sniffing**: Use network sniffing tools like Wireshark to capture network traffic on the machine generating the failed logon attempts. Look for authentication traffic (e.g., SMB, LDAP) originating from the machine and analyze the packets to identify the source application or process.
    6. **Credential Caching**: Check if any applications or services running on the machine are configured with cached credentials that might be outdated or incorrect. Update or remove any stored credentials that could be causing authentication failures.
    7. **Scheduled Tasks and Services**: Review the scheduled tasks, services, and applications configured to run on the machine. Look for any tasks or services configured to use the credentials of the locked-out account and investigate further.
    8. **Third-Party Tools**: Consider using third-party security monitoring and auditing tools that specialize in detecting and analyzing authentication-related issues, such as failed logon attempts and account lockouts.

    By systematically investigating these areas, you should be able to identify the application or process responsible for the repeated failed logon attempts and take appropriate action to address the issue.

    Best regards

    Neuvi Jiang

    0 comments