Maintaining a robust account lockout policy is paramount to safeguarding against password-guessing and brute-force attacks. However, while this policy is essential for security, it can inadvertently lock legitimate users out, costing businesses time, money, and effort.
With nearly 30% of IT help desk tickets related to password reset requests, resolving frequent account lockouts has become integral to a sysadmin’s role. As employees use various devices and collaborate across multiple applications, pinpointing the source of an AD account lockout has grown more complex.
Understanding why incorrect passwords are repeatedly entered, whether malicious or not, is critical to prevent unauthorized access. Rapidly identifying the root cause of an account lockout is essential to minimize user downtime.
Types of AD Account Lockouts:
AD account lockouts generally result from two primary issues:
1. Employees Forgetting Passwords:
The sheer number of passwords employees manage is staggering. With an average of 27 passwords for various business needs, including desktop, VPN, email, and multiple applications, employees often struggle to keep track. Resetting a password for this type of lockout typically involves verifying the user’s identity and resetting the AD account password.
2. Password Overlap Due to Cached Credentials:
Less common but more challenging to resolve, this type of lockout occurs when cached credentials overlap. As employees use multiple devices, productivity applications, Windows services, and more, a lockout can be triggered from any of these sources.
Common Causes of Account Lockouts:
Microsoft Technet identifies several common causes of account lockouts:
- Programs Using Cached Credentials
- Expired Cached Credentials Used by Windows Services
- Low Threshold for Password Attempts*
- Employees Logged On Across Multiple Devices*
- Redundant Credentials Stored for Usernames and Passwords
- Obsolete Credentials Used by Scheduled Tasks
- Improper Shared Drive Mappings
- AD Account Replication Issues**
- Disconnected Terminal Sessions on a Windows Server
Tools to Identify the Source of Repeated Account Lockouts:
Several tools are available to track down the source of repeated account lockouts, but many are labor-intensive and time-consuming:
1. Microsoft Account Lockout and Management Tools
Microsoft provides tools like LockoutStatus and EventCombMT. While reliable, these tools require multiple setups and manual investigation of Windows components.
2. PowerShell Scripts:
Using PowerShell scripts entails manual setup of AD security auditing, tracking specific Windows Event IDs in security event logs, and analyzing event details.
3. Account Lockout Examiners
Third-party solutions can analyze various Windows components, such as scheduled tasks, COM objects, applications, and ActiveSync, for signs of outdated credentials and improper mappings.
ManageEngine ADAudit Plus’ Account Lockout Examiner
simplifies the process of identifying and troubleshooting repeated AD account lockouts. It offers:
- Detailed information on lockout statuses, including times and machines.
- Analysis of Windows services, applications, processes, and scheduled tasks for outdated credentials.
- Identification of improper network drive mappings and disconnected remote desktop sessions.
- Historical data on login failures associated with locked-out accounts for context.
- Detection of unusual user activities, like abnormal patterns of account lockouts, through user behavior analytics.
Conclusion:
Understanding and resolving repeated AD account lockouts is crucial for maintaining a secure, user-friendly IT environment. Utilizing tools like ADAudit Plus’ Account Lockout Examiner can streamline the process, minimize downtime, and enhance overall security. With the ever-evolving landscape of IT security, staying ahead of potential threats is paramount. If you want to learn more about ADAudit Plus, you can contact us or call us at +201033686782. We would love to help you. If you want to know more about ManageEngine products, you can visit our blog.