Dec 24, 2010

Tracking Down Account Lockouts in Windows Server 2008 and 2008 R2

You have all probably had to troubleshoot account lockouts right. I mean, it comes with the territory for a Windows admin. Sure, some of you may be Help Desk workers, and you unlock the account then send the user on their way. What if a certain user’s account keeps getting locked out though? Like chronic back pain, the user keeps coming to you telling you that their account is locked out again. It sounds like a deeper problem.

Lucky for you then that Microsoft has an old tool to help you look for account lock outs on domain controllers so you can see which computers the accounts are getting locked out on. Then from there you can check for stuff like scheduled tasks with old passwords, viruses using old credentials, hacking attempts, etc. It’s called EventCombMT and comes with the Microsoft Account Lockout Management Tools.

In EventCombMT, there are several built in searches, but the only one I have ever used is the account lockout search. For domain controllers running Windows 2000 or 2003, the default event ID’s for the search work fine. If you are running Windows 2008 or Windows 2008 R2 domain controllers though, you need to add a search for event id 4740, as that is the event ID for lockouts in 2008/2008 R2.


What other tools do you like to use for account lockouts? Any of them work better than EventCombMT? Are they free? Let us know in  the comments!

Twitter Delicious Facebook Digg Stumbleupon Favorites More

Design by Free WordPress Themes | Bloggerized by Lasantha - Premium Blogger Themes | stopping spam