Jump to content


Photo

Account locked out everytime and workstation is blank

account lockout

  • Please log in to reply
6 replies to this topic

#1 brianyan01

brianyan01

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 12 June 2015 - 04:44 PM

Hi I downloaded the free version of Netwrix account lockout examiner in order to troubleshoot few users account that are always locked out. I tried to look for the workstation but the workstation gave me that blank answer. Is there anyone can help me to show which machine caused the user account locked out? I meant enabled the feature on the software.

Thank you,

Brian



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 381 posts
  • Gender:Male

Posted 12 June 2015 - 04:47 PM

Brian,

 

Account lockout examiner gets the workstation from the 4740 event ID on the domain controller which processed the lockout ( If we show workstation as blank then that means that the event ID has a blank workstation.  However if you pull up that event on the DC then it may have an IP address associated with the device.  If I had to guess it is a non microsoft windows device and that is why windows doesn't have a workstation name.

 

-Jeff



#3 brianyan01

brianyan01

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 12 June 2015 - 04:49 PM

I tried to look for the mobile device also.

The user said that she doesn't have any company issued mobile device.

The event log doesn't show any logout event from her account.

Is there a way I can trace from the software to figure out what caused the issue?

BY



#4 dsmirnov

dsmirnov

    Advanced Member

  • Root Admin
  • PipPipPip
  • 58 posts
  • Gender:Male

Posted 14 July 2015 - 06:21 PM

Brian,

 

The software gets data based on the actual security log of DCs. If there is no data there, it cannot automatically find the source.

You can of course point it to specific machine manually to examine it, as you most likely did with the user`s workstation, but if no data present in logs this can only be done manually.

 

As mentioned you can check if there 4740 events on your DC related to the account has some information inside.

Also you can try searching authentication events like 4771 or 4776 related to the account.



#5 BHB3805

BHB3805

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 13 January 2016 - 10:21 PM

I have a similar problem, Both the domain controller and workstation are blank.



#6 DavidM

DavidM

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 28 January 2016 - 02:34 PM

It can be different things. Check if the user has a device logged on to a wireless network ( check logs on radius server). Old devices that they use at home with WIFI are another. 



#7 JCIT15

JCIT15

    Newbie

  • Members
  • Pip
  • 9 posts

Posted 18 January 2018 - 05:56 PM

I have a similar problem, Both the domain controller and workstation are blank.

 

I'm currently having this same issue. IT shows the Bad Pwd Count and Status fine... but Workstation and Domain Controller are blank.

 

Another AD Audit tool (trial) I'm using shows the Caller Computer Name (workstation) and Domain Controller just fine.







Also tagged with one or more of these keywords: account lockout

0 user(s) are reading this topic

0 members, guests, anonymous users