Jump to content


Photo

AEL not showing locked workstation


  • Please log in to reply
9 replies to this topic

#1 maria rojas

maria rojas

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 19 August 2013 - 01:08 PM

Hi,

My user account is getting locked on a daily basis. I installed the AEL but it does not tell me where the invalid logons come from (workstation or DC).

I did an "examine on" my computer but it came out clean.

Do I need a full license to be able to see this info, or how can I tell where my account is getting locked.

Please HELP!!!!

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 19 August 2013 - 02:16 PM

Maria,

If the originating workstation and the time are not correct then that means that we received the invalid logins from the domain controller but because there was no event created we were not able to fill in this two fields. Typically this is because auditing is not enabled (which is what creates the events). Please see section 4.2 of the following guide on how to configure auditing. http://www.netwrix.c...rator_Guide.pdf

Once that is enabled you should be able to test this by purposely causing an invalid login and then finding the corresponding event on the DC that was used for the authentication.

#3 maria rojas

maria rojas

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 19 August 2013 - 07:01 PM

Maria,

If the originating workstation and the time are not correct then that means that we received the invalid logins from the domain controller but because there was no event created we were not able to fill in this two fields. Typically this is because auditing is not enabled (which is what creates the events). Please see section 4.2 of the following guide on how to configure auditing. http://www.netwrix.c...rator_Guide.pdf

Once that is enabled you should be able to test this by purposely causing an invalid login and then finding the corresponding event on the DC that was used for the authentication.



#4 maria rojas

maria rojas

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 19 August 2013 - 07:03 PM

Hi,

Thanks for the response.

It doesn't show any information at all, just states that it's Locked.

I'm trying to get confirmation if the logs are enable. but apparently they are.

Could be any other reason??


Regards,

#5 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 19 August 2013 - 07:32 PM

Maria,

To my knowledge this is the only reason:

"Once that is enabled you should be able to test this by purposely causing an invalid login and then finding the corresponding event on the DC that was used for the authentication. "

Please see if you can find invalid login events to be 100% positive this auditing is enabled and working correctly.

#6 maria rojas

maria rojas

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 22 August 2013 - 02:39 PM

Hi,

Finally we could confirm that audit is enable.

However I still can't see any information about the locked account when I manually add it to the interface.

Today I noticed that one account showed automatically and it did show me the information.

Have you had any similar cases? Could it be something with AD?

I am really trying to know why this users are getting locked on a daily basis but I can't find anything.

Thanks

#7 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 22 August 2013 - 02:42 PM

Maria,

"However I still can't see any information about the locked account when I manually add it to the interface."

This makes sense actually because you simply adding an account to the GUI doesn't proves that the product was not notified that this lockout happened. If the domain controller that is being authenticated against by this user account is one of the domain controllers added in the bottom of the application and its status is okay then all users that authenticate against that domain controller with a failure authentication will automatically show in the GUI.

#8 maria rojas

maria rojas

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 22 August 2013 - 06:26 PM

we added all DC's and got the same results. I even tried forcing a lockout with a user account that is working fine and no luck.

I don't know if I'm doing something wrong.

Thanks again for your help

#9 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 22 August 2013 - 06:50 PM

A couple more things we can try. I assume when you added all dcs. The status came back as okay right?

Step 1. Apply registry values
(1) Run regedit,
(2) Go to HKLM\Software\[Wow6432Node]\NetWrix\Account Lockout Examiner (Wow6432Node only for x64 OS)
(3) Set Readlog to 0,
(4) Create DWORD UseWatcher with value of 1
(5) Restart Netwrix Account Lockout Examiner Service

Step 2. If this does not help, install the latest version:
Console http://www.netwrix.c...3/ale_setup.msi
Web-portal http://www.netwrix.c...e_web_setup.msi

#10 maria rojas

maria rojas

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 23 August 2013 - 12:49 PM

No Luck :(




0 user(s) are reading this topic

0 members, guests, anonymous users