Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials

Find location AD Account keeps locking out

Good morning all.

I've read a few posts on how to identify where a user has saved an incorrect password that keeps locking out their account.

1. Is this something SolarWinds can actually do?
2. What licencing will I need if it does I.E. SAM?
3. Is it easier to give the end user a pencil and paper and tell them to never use a computer again

As you will all be aware, it's always someone that can shout loudly enough in the organisation that causes us this Oh, So, common issue we all love wasting our time on

If anyone can help or point me in the right reading direction please I will be gratefully helpful.

Kind Regards

MarkyB

Find more posts tagged with

Accepted answers

All comments

stevenstadel

A couple of SAM templates will show you who is locked out; the great thing about SAM is that you can run scripts. I have yet to move this to a SAM-compatible script, but this PowerShell function will search the PDC emulator for locked-out records and spit out who, from where, and when. Great for troubleshooting.

Run as a Domain Admin and make sure Import-Module -Name ActiveDirectory

Get-AdUserAcctLockouts.ps1

param (
    [Parameter(
        ValueFromPipeline = $true,
        ParameterSetName = 'ByUser'
    )]
    [Microsoft.ActiveDirectory.Management.ADUser]$Identity
    ,
    [datetime]$StartTime
    ,
    [datetime]$EndTime
)

$filterHt = @{
    LogName = 'Security'
    ID = 4740
}

if ($PSBoundParameters.ContainsKey('StartTime')){
    $filterHt['StartTime'] = $StartTime
}

if ($PSBoundParameters.ContainsKey('EndTime')){
    $filterHt['EndTime'] = $EndTime
}

$PDCEmulator = (Get-ADDomain).PDCEmulator
# Query the event log just once instead of for each user if using the pipeline
$events = Get-WinEvent -ComputerName $PDCEmulator -FilterHashtable $filterHt

if ($PSCmdlet.ParameterSetName -eq 'ByUser'){
    $user = Get-ADUser $Identity
    # Filter the events
    $output = $events | Where-Object {$_.Properties[0].Value -eq $user.SamAccountName}
} else {
    $output = $events
}

foreach ($event in $output){
    [pscustomobject]@{
        UserName = $event.Properties[0].Value
        CallerComputer = $event.Properties[1].Value
        TimeStamp = $event.TimeCreated
    }
}

adam.beedell

This would be a weird SAM monitor if you wanted to use SAM. Would do an event monitor for the lock, apply to all DCs, add a searchable element somewhere.

oooor use the lockoutstatus tool from microsoft as a markedly quicker troubleshooting tactic

Enterprise-level i'd probably go with a logs or SEIM type tooling.

lockoutstatus tho

MarkyB

Thanks all for your responses.

I'll have a look into the different options mentioned.