Scroll Top
Evotec Services sp. z o.o., ul. Drozdów 6, Mikołów, 43-190, Poland
+48 502 469 760
contact@evotec.pl

Active Directory – How to track down why and where the user account was locked out

Active Directory – How to track down why and where the user account was locked out
AccountLockout
By Przemyslaw Klys Active Directory PowerShell Windows January 24, 2019

I've been working with Windows Events for a while now. One of the things I did to help me diagnose problems and reporting on Windows Events was to write PSEventViewer to help to parse the logs and write PSWinReporting to help monitor (with use of PSEventViewer) Domain Controllers for events that happen across the domain. It's handy and I, get those excellent daily reports of what happened while I was gone.

PSWinReporting 1.0

While the above image doesn't have the event I want to talk about today it usually contains a detailed overview of what happened each and every day. What I started to get for one of my Clients was a bunch of A user account was locked out.

As you may notice above the Computer Lockout On is empty. And it's empty not because of mistake in my PowerShell Module but because the Event in question doesn't have that value.

To double confirm we can verify that Event Viewer actually shows the same information.

Generally, in such case, relevant information should be in another Event with EventID 4625. But that event only is available on the workstation where the connection was made. In this case, I didn't even have a clue where to look for because no data was available at hand. Enabling more logging on Domain Controllers didn't help either as already all Logon / Logoff Events were enabled. In normal circumstances Computer Lockout would be shown and I wouldn't have to do any verification. For example here's the Event that actually shows Computer Lockout On data.

In ObjectAffected property, you can see a computer that had the lockout on happened. This allows you to track where your users are locking out and potentially help them out with their problem. But in this case, that value doesn't exist and I having your Administrator lockout every few hours isn't right.

Going deep into logs

The reason why Computer Lockout On field being empty is that it only shows if it happens on within Active Directory. If you're using SSO (Single Sign-on) systems or have complicated architecture value may be blank. To try and trace where the issue happens we need to enable NETLOGON logging. We can use following steps to achieve that:

Open command prompt (CMD) as Administrator and execute following commands
Nltest /DBFlag:2080FFFF
net stop netlogon
net start netlogon
Alternatively if you prefer PowerShell version
Nltest /DBFlag:2080FFFF
Restart-Service Netlogon

Now all you have to is wait for %windir%\debug\netlogon.log to start filling up. Simply wait for the Event to happen and review it.

NetLogon.log Content

So we check the log file, correlate that with Event time and we've got a winner.

01/24 11:27:01 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Entered
01/24 11:27:01 [LOGON] [4988] EVOTEC: Avoid send to PDC since user administrator failed recently
01/24 11:27:01 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Returns 0xC000006A
01/24 11:27:02 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Entered
01/24 11:27:02 [LOGON] [4988] EVOTEC: Avoid send to PDC since user administrator failed recently
01/24 11:27:02 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Returns 0xC000006A
01/24 11:27:03 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Entered
01/24 11:27:03 [LOGON] [4988] EVOTEC: Avoid send to PDC since user administrator failed recently
01/24 11:27:03 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Returns 0xC000006A
01/24 11:27:05 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\ADMINISTRATOR from  (via EVOTEC-RDS1) Entered
01/24 11:27:05 [LOGON] [4988] EVOTEC: Avoid send to PDC since user ADMINISTRATOR failed recently
01/24 11:27:05 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\ADMINISTRATOR from  (via EVOTEC-RDS1) Returns 0xC000006A
01/24 11:27:05 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Entered
01/24 11:27:05 [LOGON] [4988] EVOTEC: Avoid send to PDC since user administrator failed recently
01/24 11:27:05 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Returns 0xC000006A
01/24 11:27:06 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\ADMINISTRATOR from  (via EVOTEC-RDS1) Entered
01/24 11:27:06 [LOGON] [4988] EVOTEC: Avoid send to PDC since user ADMINISTRATOR failed recently
01/24 11:27:06 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\ADMINISTRATOR from  (via EVOTEC-RDS1) Returns 0xC000006A
01/24 11:27:06 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Entered
01/24 11:27:06 [LOGON] [4988] EVOTEC: Avoid send to PDC since user administrator failed recently
01/24 11:27:06 [LOGON] [4988] EVOTEC: SamLogon: Transitive Network logon of (null)\administrator from  (via EVOTEC-RDS1) Returns 0xC000006A

As you can see above, there is some information above Administrator account being used on EVOTEC-RDS1. There is also a value 0xC000006A which is a bit cryptic, but when we double check what it means it all makes sense. For reference, I'm attaching table with an explanation for each status code below.

Status and Sub Status Codes Description (not checked against “Failure Reason:”) 
0xC0000064 user name does not exist
0xC000006A user name is correct but the password is wrong
0xC0000234 user is currently locked out
0xC0000072 account is currently disabled
0xC000006F user tried to logon outside his day of week or time of day restrictions
0xC0000070 workstation restriction, or Authentication Policy Silo violation (look for event ID 4820 on domain controller)
0xC0000193 account expiration
0xC0000071 expired password
0xC0000133 clocks between DC and other computer too far out of sync
0xC0000224 user is required to change password at next logon
0xC0000225 evidently a bug in Windows and not a risk
0xc000015b The user has not been granted the requested logon type (aka logon right) at this machine

Now that we know where to look for our EventID 4625 we can find out what's causing the lockouts. A quick look into Event Viewer shows that it's actually coming from outside of the network. Unfortunately, this machine has access to RDP protocol via the Internet and that's why we get those brute-force attacks.

Our investigation is done, we pass this news to the second line to fix the problem of RDS being available on 3389 port and what they do with it, is their problem now.

Disable NetLogon logging

Now that we're done with verification we can disable enhanced logs.

Open command prompt (CMD) as Administrator and execute following commands
Nltest /DBFlag:0x0
net stop netlogon
net start netlogon
Alternatively if you prefer PowerShell version
Nltest /DBFlag:0x0
Restart-Service Netlogon

Przemyslaw Klys / About Author
System Architect with over 14 years of experience in the IT field. Skilled, among others, in Active Directory, Microsoft Exchange and Office 365. Profoundly interested in PowerShell. Software geek.
More posts by Przemyslaw Klys

Related Posts

PSOutlookProfile
Outlook – The primary account cannot be removed unless it is the only account in the profile
Last few months I’m responsible for the migration of Office 365 to Office 365. While doing so, we came into a situation where users have their old mailbox as Primary Account and new Mailbox as their secondary account. This is a quite common scenario that people are running into and something that is expected. Usually, my recommendation is: Please create a new profile for user and topic is closed. It’s also quite easy to achieve this in an automated way where you delete all profiles and Outlook just goes with autodiscovery adding new account as required. That’s how I have always done this till now. My Client has gone thru setting up 1000+ users with their second account in Outlook and deleting a whole profile, recreating would cause lots of downloading of emails from Office 365 that my Client wanted to avoid.
23 Nov 2018
PSWriteHTML creating Email Body
Easy way to send emails using Microsoft Graph API (Office 365) with PowerShell
When you’re using Office 365 and want to send an email, you have two choices SMTP or Microsoft Graph API, which is a “new” kid on the block. For some time, I’ve used Microsoft Graph exclusively to send emails in favor of SMTP as it’s much easier to manage and generally works over HTTPS. If you type in google “Send email graph API PowerShell,” you will get lots of hits as bloggers, and Microsoft has already covered this topic. It’s even more critical than ever because Basic Authentication is deprecated in Office 365. To help out with the transition, Microsoft even released its PowerShell module. With Send-MgUserMail proposed as a way to send emails via Graph API, you will notice it’s far from being easy & user-friendly. Over two years ago, I released a PowerShell module called Mailozaurr (some people may not like my modules’ naming – but that’s how I roll!). In a blog post, Mailozaurr – New mail toolkit (SMTP, IMAP, POP3) with support for oAuth 2.0 and GraphApi for PowerShell, I’ve shown a basic functionality on how to send emails using SMTP OAuth 2.0 or Graph API, which aims to be drag & drop replacement over Send-MailMessage and is supposed to be as simple as possible to send an email with a low effort and high readability. You can also read on sending emails using Graph API by Tony Redmond in his blog post Moving on from Send-MailMessage: Sending Email from PowerShell using the Graph API.
09 Oct 2022
PowerShell Automating Administration
Powershell – Change DNS IP Addresses remotely
0
09 Feb 2016
Write-Color – 2 year Anniversary Edition – v0.3
0
09 Apr 2018
Office 365 – Limiting license to minimum apps required
Office 365 has a lot of options and applications to choose from. Enabling one E1, E3, or any other license gives the user a lot of features, including Exchange, SharePoint, and Teams. But what if you want to make sure that the user can access only Microsoft Teams? By default, you can do it manually during the assignment of the license. Simply choose only Apps you want to assign to a user.
07 Apr 2020
The type initializer for Gdip threw an exception
PowerShell Core – The type initializer for Gdip threw an exception.
22 Sep 2018
Azure AD Connect
Azure AD Connect – Completed-Export-Errors – Permission-Issue
During synchronization of Active Directory with Office 365 via Azure AD Connect I was greeted with a list of accounts that have permission-issue. Error message by itself gives you a slight hint, but it doesn’t tell you exactly where to look.
29 Nov 2018
Instant Replication between Active Directory sites with PowerShell
In Active Directory when you change something, it’s replicated to other Domain Controllers regularly. It’s a standard procedure that happens automatically in the background for you. It’s a handy feature because you can have multiple DC’s all over the world and have your users data in sync. You can change almost anything on DC nearest to you and be sure it will be the same value all over the place. But is it always the same? Well, it should be unless it isn’t. Today I was given a new migration from  Exchange to Office 365. I started with ADConnect installation and wanted to make sure that UserPrincipalNames have all UPNSuffixes in place.
21 Jul 2019
Executing hidden or private functions from PowerShell Modules
When you write PowerShell modules, there’s a high chance you will have conflicts with either existing system commands (you should avoid that) or with someone else’s modules. There are also times when someone wants to use a private function from a module that only exports essential functions. Here’s a couple of ways how to deal with those scenarios.
14 Jul 2019
PowerShell Automating Administration
Microsoft Exchange – Set address book policy based on group membership
0
04 Mar 2016
Duplicate SPNs
Finding duplicate SPN with PowerShell
Duplicate SPNs aren’t very common but can happen in any Active Directory as there’s no built-in way that tracks and prevent duplicate SPN’s. One has to either know all SPN’s in the environment, track them or check each time whether it already exists or not. Things get more complicated with larger Active Directory environments as people change, new apps are added, old apps are forgotten, but SPNs prevail.
07 Dec 2021
Install-Module : A parameter cannot be found that matches parameter name AllowPrerelease.
22 Aug 2018
Get-FileMetadata
Getting file metadata with PowerShell similar to what Windows Explorer provides
I’m working on a new feature for one of my modules that requires me to know what kind of files I am working with. It’s quite easy in PowerShell, and without a lot of code, you can reasonably quickly get necessary information about data stored on your desktop or anywhere else for that matter.
20 Jun 2020
Microsoft Azure
Azure ADConnect Export Failed – Permission-issue error
0
08 Oct 2017
Function cannot be created because function capacity 4096 has been exceeded for this scope
Function cannot be created because function capacity 4096 has been exceeded for this scope
I had a long day today when my long-running script (10 hours) gave me weird errors with Microsoft Graph for Teams. Finally, I solved my mistakes and reran the hand to see if the report would be complete this time. Surprisingly, it gave me an error I’d never seen before. “Function cannot be created because function capacity 4096 has been exceeded for this scope”. The error is at least weird because it’s shown on a production server where I’ve just a handful of PowerShell modules installed, and I’ve never seen it on my development machine where I’ve over 200 modules.
01 Aug 2023