Share via

AD accounts lockout

Anonymous
2023-09-09T19:32:47+00:00

Dear Team

I have an issue where all users account locks up in sets for all different sites, e.g 15 accounts will lockout from different provinces, some in office and VPN, some have not logged in and strangely enough some accounts get disabled.

I use a script to see locked out accounts on AD, the solution now is to keep unlocking accounts as users want to work.

I am running windows server 2016 with over30 sergers, over 400 users. There is a firewall and the antivirus both on the servers and client machines.

Upon investigating I discovered that there is a IT admin credentials that has been used to access one user machine from a different branch, the IT admin had no prior access to this machine as the machine belongs to another branch,

The machine executed a script to delete vpncrendentials and it listed the machines that were affected on the log, the script is located under the VPN folder for each machine that has vpn installed.

I bellied something is taking place on the network servers.

Please assist.

Windows for business | Windows Server | Directory services | Active Directory

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-09-11T01:54:48+00:00

    Hello Census Mathebula1,

    Thank you for posting in Microsoft Community forum.

    Based on the description "I have an issue where all users account locks up in sets for all different sites", you have multiple AD accounts locked out, did you make any changes in AD?

    For example, if you install any KB on any DC or on any domain-join machines? Or make any GPO setting related to Cipher suites or TLS/SSL?

    1.Check if you can see multiple Event ID 4771 or 4776 via Security log on DC/PDC.
    2.Check whether you can see ID 4740 immediately after the event ID 4776 or event ID 4771 in the security log on the DC/PDC.
    3.If these user accounts are not locked out by the same change or the same cause, you may need to check one domain user account first.
    4.Find one locked account, and for this domain user account, if you can see Event ID 4771 or 4776 and Event ID 4740 related this domain account, can you see which machine lock (via event 4740 or 4776 or 4771) the user account? If so, logon the machine locked out this account to try to check the reason.

    • Check Credential Management to see if the user's old credentials are cached (Control Panel)

    • Check whether the network disk is mounted with the wrong password

    • Check if the user started the service with the wrong password, run scheduled tasks, etc

    • Are there other third-party programs that cache incorrect passwords for users

    Hope the information above is helpful.

    If you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    0 comments
  2. Anonymous
    2023-09-12T06:07:08+00:00

    Hi,

    Thanks for comprehensive feedback.

    The Infor provided is relevant, my antivirus come to my rescue and discovered the cause, its related to a Hyper-V host.

    Further investigating the cause, I will share the source once finalized.

    0 comments
  3. Anonymous
    2023-09-12T07:13:16+00:00

    Hello Census Mathebula1,

    Thank you for your update.

    I hope to hear your good news soon.

    Thank you in advance for your time, effort and sharing.

    Best Regards,
    Daisy Zhou

    0 comments