Hello there,
we have an issue since beginning of August where Active Directory accounts are being locked - not always the same accounts. It really seems to appear randomly. So far these accounts having nothing special specific attribute or group or whatever in common. I mean nothing that seperates them from the accounts not beeing locked.
Google provided me a script which offers me time, username, hostname and IP of machine where the lock happened. (gathers the DCs Eventlog and searches for EventID 4771 (Kerberos Preauthentication failed)) But it does not get me any further. Find nothing
helpful in eventlog of these machines where the lock happen.
Activated gpo so that attribute msDS-FailedInteractiveLogonCount is counted and I monitor it with netwrix. On "special days" e.g. yesterday several accounts raised one higher other days nothing happens.
Researched the process which is responsible: svchost.exe -k netsvcs -pBut does it help me getting the program which leads to this behaviour? Could be several things according to google e.g. Task Scheduler. We don't push scheduled tasks to the machines with maybe outdated password and on the machines I researched no suspicious task could be found.
I have started performance monitor according to this link (we did not have any domain migration but I gave this link a try to monitor kerberos activities)
https://blogs.technet.microsoft.com/askpfeplat/2013/12/15/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers/
In this report even two locks actually happened. But it is a really large file. Although it seemed to work I did not find anything helpful again. No question: maybe I have been searching wrong - that's why I am writing...surprise.
I hope I could summarize everything I did. Maybe some help to get a new trace which leads us to the mole?
Everything in general I find at google is more like some service using an old password to login..but on machines of so many users? And even if and we push it out via gpo, why not all users then? So I am lost...
We have Windows 2012R2 Domain and DCs. Clients are Win10 Enterprise 1803.
If you need more information, please ask. Tried to make it as short as possible with all "helpful" information I have.
Thanks for your help.