Just had a nice error that had me a little stumped. I changed the password on the admin account that I use on to remote on servers around site, but it kept locking out. I've never had the problem before, so I was a little peeved. Anyway, using a combination of the linked Account Lockout Tools and Event Viewer on the originating DC to search for event 644 (User account successfully locked out), I managed to trace down the originating server.
1. From the extracted download, run LockoutStatus.exe
2. type in user to query
3. Check if account is locked. If it is, check Orig Lock column to determine DC that locked account
4. Connect to Security log of the DC in question
5. Filter output to search for event ID 644
6. Check through output to find the server/workstation performing lockout
If it isn't obvious when you log on to the offending machine what is causing the lockout, use the security event log on that system and search for failure events (id 529). Looking at these entries, you should be able to find the Caller Process ID, from which you can use Task Manager or Process Monitor from Sys Internals to track down the process concerned.
In my instance, it turned out to be a process called xf.exe, which in turns is the HP Management Infrastruture service, used for managing HP EVA's. I had a disconnected RDP session open to Command View, and it was this using the old credentials, which subsequently kept locking me out :(
Giving the session did the trick :)
No comments:
Post a Comment