Active Directory account lockouts can be hugely problematic for organizations. There have been documented instances of attackers leveraging the account lockout feature in a type of denial of service attack. By intentionally entering numerous bad passwords, attackers can theoretically lock all of the users out of their accounts.
But what do you do if you are experiencing problems with account lockouts?
The Windows operating system is somewhat limited in its ability to troubleshoot account lockouts, but there are some things that you can do. For example, you can use Windows PowerShell to determine which accounts have been locked out. The command for doing so is:
Search-ADAccount -LockedOut -UsersOnly | Select-Object Name, SamAccountName
Incidentally, the UsersOnly parameter prevents computer objects from being included in the results, while the Select-Object command filters the results list to display only the user’s name and their account name.
If you find that accounts have been locked out, then there are a couple of ways of unlocking them. You can unlock accounts one at a time by using this command:
Unlock-ADAccount -Identity <username>
If, on the other hand, you need to unlock user accounts in bulk, then you can do so with this command:
Search-ADAccount –LockedOut | Unlock-ADAccount
While it is undeniably important to be able to unlock user accounts, it is equally important to be able to find out why accounts were locked out in the first place. You can gain a little bit of insight into the problem by using a variation of the Search-ADAccount command that you saw a moment ago:
Search-ADAccount -LockedOut | Select-Object *
This command will display additional information about all of the accounts that have been locked out. You can use this information to find out when the user last logged on and whether the user’s password is expired. Because this command can return a lot of data, you may find it helpful to write the results to a CSV file. Here is an example of how to do so:
Search-ADAccount -LockedOut | Select-Object * | Export-CSV -Path c:\temp\lockout.csv
It is possible to go further with Active Directory lockout troubleshooting using the native Windows tools, but in order to do so, you’re going to need to make a change to your group policy settings prior to lockouts occurring. Oddly enough, account lockouts are not logged by default.
You can enable logging by opening the Group Policy Editor and navigating through the console tree to Computer Configuration | Windows Settings | Security Settings | Advanced Audit Policy Configuration | System Audit Policies | Account Management. Now, enable both success and failure auditing for user account management.
Once the new group policy setting has been applied across the domain, it will cause event number 4740 to be written to the Security event log any time that an account becomes locked out.
Get-WinEvent -FilterHashtable @logname=”Security”; ID=4740
There is a good chance that this command will produce an overwhelming number of results. You can use the Select-Object cmdlet to limit the number of results shown. If, for instance, you only want to see the ten most recent results, you could use this command:
Get-WinEvent -FilterHashtable @logname=”Security”; ID=4740 | Select-Object UserID, Message -Last 10
Notice that I also included references to UserID and Message in the Select-Object cmdlet. The UserID will cause the username to be displayed, and the reference to Message will cause PowerShell to display detailed information about the event. Perhaps the most useful item displayed in the message is the Caller Computer Name, which reflects the name of the machine that caused the user account to be locked out. If necessary, you can also use the TimeCreated property to find out when the lockout occurred.
The command shown above can sometimes cut off the Message. If this happens to you, you can get around this problem by appending the Format-List command, as shown below:
Get-WinEvent -FilterHashtable @logname=”Security”; ID=4740 | Select-Object UserID, Message -Last 10 | Format-List
As you can see, Windows is limited in its ability to help you to troubleshoot account lockout problems. If you are consistently experiencing account lockout issues and need additional troubleshooting capabilities or if you, like many other organizations, are experiencing an increase in account lockout related calls during the global pandemic, then you might consider checking out some of the third-party tools that are available such as a self-service password reset solution.
Identifying what is driving lockouts and rectifying the issue is one part of the equation. To address the issue holistically, IT departments need to provide users with the ability to unlock their own accounts securely, anytime, anywhere.
No comments: