A stringent account lockout policy is vital to derail password guessing and brute-force attacks but it also runs the risk of locking out legitimate users costing businesses valuable time, money, and effort.
With password reset requests accounting for almost 30% of the total IT help desk tickets, resolving frequent account lockouts becomes an indispensable part of a sysadmin’s job. And with employees switching between multiple devices and collaborating using numerous applications, finding the source of an AD account lockout has become harder than ever.
It’s vital to understand why the wrong password was repeatedly used, i.e., whether its use was malicious or not, because not knowing this information could result in unwanted access. This is why there’s a pressing need to analyse and detect the root cause of an account lockout quickly so user accounts don’t remain locked out long.
Types of AD account lockouts
The account lockout policy is a built-in security measure that limits malicious users and hackers from illegitimately accessing your network resources. Almost all AD lockouts are caused by one of these two fundamental issues. They are:
- Careless employees forgetting their passwords
An organisation is only as strong as its weakest link. Without the use of a single sign-on, an employee on average uses approximately 27 passwords for their business needs. In addition to accessing their desktop and VPN, a vast suite of applications like Outlook, Dropbox, G Suite, Salesforce, Amazon Web Services (AWS), and more require the use of unique passwords. This makes it extremely challenging for an average employee to keep track of what passwords are in use resulting in frequent account lockouts.
Though this type of password reset is prevalent, resolving it simply requires verifying the user’s ID and resetting the AD account password.
- Password overlap due to cached credentials
This type of account lockout while not as prevalent is far more difficult to resolve, because the root cause of the account lockout is often obscure.
On top of this, since employees often use multiple devices, numerous productivity applications, Windows services, and more, the password overlap could set off the account lockout from any of these.
In this blog, we delve into this type of repeated account lockout, analyse its causes, and discuss the various tools available to troubleshoot.
Microsoft Technet lists the following as the most common causes of the account lockout:
- Programs using cached credentials
- Expired cached credentials used by Windows services
- Low threshold for password attempts
- Employees logged on across multiple devices
- Redundant credentials retained for stored usernames and passwords
- Obsolete credentials used by scheduled tasks
- Improper shared drive mappings
- AD account replication issues
- Disconnected terminal sessions on a Windows server
Tools that help find the source of repeated account lockouts
There are multiple tools that help to track down the source of repeated account lockouts. Most of which are labour and time-intensive. They are:
- Microsoft account lockout and management tools
Microsoft offers the LockoutStatus and EventCombMT tools. Though reliable and accurate, using Microsoft’s tools require multiple individual tools that need to be set up, routine manual investigation of every Windows component, and more.
- PowerShell scripts
In addition to admins being aware of the scripting language, using PowerShell scripts requires manual setup of AD security auditing. It includes finding the domain controller that has the primary domain controller emulator role, tracking down Windows Event ID 4740 in security event logs, and analysing the details of the event found.
- Account lockout examiners
A third-party solution that can analyse various Windows components like scheduled tasks, COM objects, OWA, applications, and ActiveSync for signs of outdated credentials and improper mapping goes a long way in finding the source of repeated account lockouts quickly.
Use ManageEngine ADAudit Plus‘ account lockout examiner to easily spot and troubleshoot repeated AD account lockouts. It helps:
- Trace account lockout statuses along with details on lock-out times, machines, and more.
- Analyse Windows services, applications, processes, and scheduled tasks for outdated credentials.
- Check for improper network drive mappings and disconnected remote desktop sessions.
- Find the history of logon failure associated with that locked out account for more context.
- Spot atypical user activities like unusual time or volume of account lockouts with user behaviour analytics.
- And more.
Download our free, 30-day trial to quickly spot and resolve AD account lockouts.