6.10. Troubleshooting Account Lockout Problems
Problem
A user is having account lockout problems and you need to determine where it is getting locked from and how it is getting locked out.
Solution
Using a graphical user interface
LockoutStatus
is a new tool
available
for Windows 2000 or Windows Server 2003 that can help identify which
domain controllers users are getting locked out. It works by querying
the lockout status of a user against all domain controllers in the
user’s domain.
To determine the lockout status of a user
Open
LockoutStatus
and select File → Select Target from the menu.Enter the target user name and the domain of the user.
Click OK.
At this point, each domain controller in the domain will be queried and the results will be displayed.
Discussion
The Lockoutstatus.exe
tool is just one of many
that are available in the new “Account Lockout and
Management” tool set provided by Microsoft. These
new lockout tools are intended to help administrators with account
lockout problems that are very difficult to troubleshoot given the
tools available under Windows 2000. Along with the tool mentioned in
the Solution Section, here are a few others that are included in the
set:
- ALockout.dll
A script that uses this DLL called EnableKerbLog.vbs is included with the tool set that can be used to enable logging of application authentication. This can help identify applications using bad credentials that are causing account lockouts.
- ALoInfo.exe
Displays services and shares that are using ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.