3 replies to this topic

[Link]

I have 1 user whose account is constantly locked out. Logs on domain controller and Netwrix Account Lockout Examiner shows that user is locked from workstation user1-nbc (the actual name is different).

When I look at user1-nbc into security log I see event 4625 taking place. When I read through this event I see that process name that locked account is svchost.exe and PID is 0x914, which in decimal format is 2324. In task manager I see that PID 2324 is svchos.exe which leads to service User Manager.

 

Logs on user1-nbc are configured as per article https://kb.netwrix.com/1199command auditpol /get /category:* confirm that correct logs are enabled.

 

When in Netwrix Account Lockout Examiner I click on user1 and click on Examine - I receive information about last logon attempts but the Lockout Examiner does not try to discover which program actually is sending wrong credentials.

 

Netwrix Account Lockout Examiner shows a few scheduled tasks for user1. I disabled them, but the problem persist.

 

How do I discover - which program is sending wrong credentials from user1-nbc? Why Netwrix Account Lockout Examiner doesn't try to discover which specific process is sending wrong credentials?

 

Also, may be I am wrong, but I noticed that event 4625 is taking place not when some program send wrong credentials, but when the user1 account is already locked out and he try to unlock his workstation from console.

[Kirill K]

Hi there,

 

Q: How do I discover - which program is sending wrong credentials from user1-nbc?

A: It might help to use Process Monitor and filter applications by who:

https://docs.microso...wnloads/procmon

 

Q: Why Netwrix Account Lockout Examiner doesn't try to discover which specific process is sending wrong credentials?

A: Probably there is a problem in your environment since in my lab it works well.

 

Q: Also, may be I am wrong, but I noticed that event 4625 is taking place not when some program send wrong credentials, but when the user1 account is already locked out and he try to unlock his workstation from console.

A: That's correct.

[Link]

Thank you for reply.

 

I will try to test Netwrix Account Lockout Examiner in a test lab and see if it try to to find specific process, which is sending wrong credentials. But how does it do it if there is no info about bad process in Event Viewer?

[Link]

Trying to filter events in Process Monitor by my username returns 75000 events. Much better results I get if I just go to Task Manager>details and arrange processes by username. Still nothing for me. The problem is on laptop of top manger. He will not wait while I play with processes for hours. The only way to resolve this problem for me is to make physical to virtual conversion and deploy user1-nbc on virtual machine in test lab together with domain controller and then try to disable services 1 by 1 and see when account will stop locking.

 

But is there some other more sophisticated way to resolve this? Event 4625 is useless, since it occur when account is already locked. But how Netwrix Account Lockout Examiner try to determine which specific process is sending wrong credentials? If Event viewer is useless - how does it do it?