Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Best method of finding out why a Users AD account keeps getting locked out

AaronMoorcroft
Communicator
‎07-18-2017 01:22 AM

Hi Guys,

We get a number of tickets for users accounts being locked out over and over again, I was wondering if anyone had any quick wins on how they find out the cause of this ?

I have been using - 

index=main sourcetype="*wineventlog:security" "usersADaccount" ("EventCode=4776" AND Keywords="Audit Failure") OR ("EventCode=680" AND "Failure Audit") NOT (Logon_Account="*$" OR Logon_account="*$")  | eval "User Account" = coalesce(Logon_Account,Logon_account)

This brings back the locked out events but I cant really see why its happening from this.

0 Karma
Reply

adonio
Ultra Champion
‎07-18-2017 04:38 AM

hello there,
not a full answer but from what i have seen in the past, many times the reason is many failed login attempts. windows logs it in event code 4625.
read here more:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4625
create a search that correlates the locked accounts with failed logins, maybe this is the reason
i wonder maybe your AD admin can help you as well to find root cause
hope it helps

Reply

AaronMoorcroft
Communicator
‎07-18-2017 07:51 AM

thank you, ill continue to plug away 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...