Executive Summary:
In Windows networks, troubleshooting locked-out accounts can take a lot of time and effort. Fortunately, Microsoft's Account Lockout and Management Tools can help reduce the amount of time and effort it takes to locate the root causes of locked-out accounts. EventCombMT.exe, LockoutStatus.exe, and NLParse.exe are three tools in the Account Lockout and Management Tools you should come familiar with if you often have account lockouts. |
Troubleshooting locked-out
accounts can be difficult and
time-consuming. Cached credentials
on drive mappings,
Microsoft IIS application pools,
COM+ objects, scheduled tasks,
services, and interactive logons
are all common causes of
account lockouts. Fortunately,
Microsoft provides tools and
techniques to help you narrow
the search for the root cause,
including the Account Lockout
and Management Tools. You
can download these tools
from the Microsoft Download
Center at www.microsoft.com/
downloads/.
At my organization, we
recently used the following
tools to locate the root cause of
a locked-out account that was
discovered during one of our
regularly scheduled password
changes:
EventCombMT.exe. Event-
CombMT.exe collects and filters
events from the event logs
of domain controllers (DCs)
within a specified domain. This
tool features a built-in search
for account lockouts, which
defaults the search to the security
log. It populates the Event
ID field with relevant event IDs
(i.e., IDs of events that pertain to
locked-out accounts). Consolidating
the lockout events into
text files in a common folder
provides a quick way to search
for the locked-out account and
the name of the server or workstation
from which the lockout
originated.
LockoutStatus.exe. LockoutStatus.
exe examines all
DCs in a domain, letting you
know when the target account last locked out and from which
DC. In addition, it provides the
locked-out account’s current
status and the number of bad
password attempts that have
been made. Depending on
the topology of the Windows
domain, this information can
help you determine whether
the server or workstation locking
out the account is located at
a particular site.
Netlogon logging used for
tracking Netlogon and NT
LAN Manager (NTLM) events.
Enabling Netlogon logging on
all DCs is an effective way to
isolate a locked-out account
and see where the account is
being locked out. The Microsoft
article “Enabling debug logging
for the Net Logon service”
(support.microsoft.com/kb/109626) contains information
about how to enable Netlogon
logging on the various versions
of Windows. Although
Netlogon logging isn’t part of
the Account Lockout and Management
Tools, NLParse.exe
is used to parse the Netlogon
logs—and NLParse.exe is one
of the account lockout tools.
Enabling Netlogon logging
can create large files quickly,
so using NLParse.exe to locate
relevant events in the Netlogon
log can save time when troubleshooting
lockouts. The output
from NLParse.exe is extracted
to comma-separated value
(CSV) file, where it can be easily
searched or sorted.
The Account Lockout and
Management Tools helped us
reduce the amount of effort it
took to locate the root cause of
our locked-out account. They
helped us target our energy at
specific servers or workstations
in our organization.
—Brent McCraney,
Senior Technical
Analyst,
Ontario Teachers’
Pension Plan
End of Article
Register
