Quantcast
Channel: Directory Services forum
Viewing all articles
Browse latest Browse all 31638

Why are my users locking their accounts with no trace on why?

$
0
0

I have the following GP/Advanced Audit:



Logon/Logoff
  Logon                                   Success and Failure
  Account Lockout                         Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure

Detailed Tracking
  Process Creation                        Success

Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Application Group Management            Success
  Other Account Management Events         Success

DS Access
  Directory Service Changes               Success
  Directory Service Access                Success and Failure

Account Logon
  Other Account Logon Events              Success and Failure
  Credential Validation                   Success and Failure

Recently, some users are complaining about accounts being locked several times a day

But despite the proper configurations, searching at the Event Viewer logs, i can find the 4740 event, showing exactly when the account has been locked but i can´t find any evidence on ANY of the 5 times required to lock an account at ANY DC available. No events 4625 were found

If i create a test user, force the user to fail several times, all proper events 4625&4740 show up in the logs wuth no problem, so auditing is ok.

At office365, there are no login failure , only success login events, so, the lockout is not coming from O365 back to my on-premisse AD/DC

What else can I do?

In the AzureADSync, nothing usefull (an the Log capabilities are terrible) and my PDC emulator shows the lockout with the ALTools/Account lockou Tool  as the lockout propagate through the replication proccess, nothing wrong

The local user´s machine has some events, but again, only successfull events, including the .EXE name responsible for the login, but no failure events are shown

What else can I do? What am i missing here?


Viewing all articles
Browse latest Browse all 31638

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>