Wednesday, January 25, 2017

Troubleshooting Windows Server Account Lockouts when the Security Log Fails You

Many times, you may encounter a windows domain account that rapidly locks out.  You've enabled auditing and used tools to evaluate the security log.  And you come up with something like-

The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: adam1115
Source Workstation:
Error Code: 0xC0000234


Great!  I'll head right over to the blank source workstation and check it out.  One option is to find out what domain controller is locking it out and enable verbose logging of the netlogon service.

Open up the command prompt as administrator and run the following-

nltest /dbflag:0x2080ffff

Then once the account locks out again, open the log file as administrator (I do it from the same command prompt)-

notepad c:\windows\debug\netlogon.log 

You will see each logon attempt and which machine is generating them.  To turn off the debuging, type the following-

nltest /dbflag:0x0


In Exchange, you can check the IIS logs and device statistics-

Get-ActiveSyncDeviceStatistics -Mailbox <Mailbox Name> | ft DeviceType, DeviceUserAgent, LastSuccessSync