How to troubleshoot a locked account that keeps locking in Active Directory

// October 13th, 2009 // Windows Server 2003, Windows Server 2008

  1. Login to a domain controller and download the Account Lockout Tools from Microsoft (http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en)
  2. Extract the Contents to a directory on the server
  3. Open LockoutStatus.exe
  4. Select File and choose Select Target
  5. Type the user name that is locked and hit OK
  6. All the domain controllers should show up with the user state of the account.  If you look at the far right there is a table column.
  7. Now choose the domain controller that enabled the lock and right-click on it choose Set Netlogon Logging
  8. Check the box for Misc Debug to enable logon errors to be recorded and click OK (this sets the flag for DBFlag to 0×4 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters)
  9. Now right-click the original lock domain controller and choose Unlock Account.  Right-click a DC and choose Refresh All.  If any DC is still showing the account locked then right-click on that DC and choose Unlock Account.
  10. Once the account is locked again right-click on the DC that originated the lock and choose Open Netlogon Log
  11. Scroll to the bottom of the log and look for [LOGON] entries and then look at the error code at the end.  If it is 0×000006A the account is being submitted with a bad password.  This line entry should also list the IP or the Computer name where the bad logon attempt originated.
  12. If the Netlogon.log file is too big then you can go to the DC and use nlparse.exe included in the Account Lockout Tools to choose which flags you want to parse from a Netlogon.log file and dump to a CSV.  The Netlogon.log is located in C:\Windows\Debug\ on a DC.  The output from nlparse.exe will dump a file to that same directory called Netlogon.log –Out.csv.

After finding the root cause of the lockout it’s advised to go back in and disable the Misc Debug flag to minimize the amount of logging being done in the Netlogon.log file.

Leave a Reply