The most common cause of phantom lockouts is a hung remote session somewhere. In the events you will see the IP address of the system that caused the lockout event to happen. You need to identify the system and the time in order to narrow down whether or not it is a specific application or something like an orphaned remote session (i.e. I would suggest a tool like MOM or EventComb that can aggregate Security Event logs across your domain controllers. You are looking for the Account Lockout events (529, 644, 675, 676, and 681) and once you pull all of those events into a single view you can search for all events (or filter to begin with) that pertain to that specific user. This is more of an AD problem to solve than it is an ILM problem.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |