Hi Deepak C

Thank you so much for you kind and prompt reply. It's more than appreciated.

Splunk has been setup to extract the logs and get all the needed information from AD event logs including event ID, User ID, etc, etc in order to troubleshoot any problems in ADDC such as user account lockouts etc.

The image from my previous question is from a search of the users ID and in this case it pulled eventcode 4776, basically saying the account is locked out? 

The question is how to I investigate how to get to the root cause and find out what is locking the account out.

If you are able to help that would be of great significance as I would like to get the user up and running on Monday without any further problems.

Regards.

If its not in the event data its difficult to say what's the root cause, Splunk only reports whats in the logs not the root cause, but that could be elsewhere in some log. That said, its normally mistyped password's, bad password, etc.

Check the Group Policy settings related to account lockout policies, password policies, and Kerberos policies with the AD admin. Ensure that these policies are configured correctly and not excessively restrictive. What about some malware or Unauthorized Access thats causing it, so it could be a number if things.

It might be worth speaking to the user and ask them to show you what they are doing, so you can see and spot any obvious mistakes, they may be doing, I have also experienced in the past, odd keyboard keys/characters / locale settings that are being used could also be the cause.

Hi Deepakc,

In the details of the search in Splunk I can see that there is a logon account which I search on - also a source source workstation at least 3 different ones with the eventcode=4776 and 3 different hosts which are the Domain Controllers of the domain. 

I assume the hosts are where the user is attempting to validate credentials. Does this mean that the user is attempting to validate from different workstations and the validation will go to the nearest DC in the Domain. 

So I assume the source workstation is where the user is attempting to login from? 

Regards.

This is actually a question to your Windows/AD gurus. Splunk is "just" a data processing platform. Splunk can gather data from external sources, search it, analyze, aggregate, visualize and so on but interpretation of the data and Splunk search results is up to you. You must know what the data you push into Splunk is about.

Hi Deepakc,

The user is definitely not typing the wrong password. What happens is that his account gets locked out when he is actually logging in after he has been of his machine to get a cup of tea or something similar.

When you say "if its not in the event data" what do you mean by that. Where would i see event data.

I hope the above helps.

Regards.

Hi @czql5v 

So, what I  mean by it may be elsewhere, is say for example, a software engineer develops an authentication application, they may well log data in the log files to show why the user's log is failing along side other events.

Now for Microsoft they log a lot of events, and do they actually log why?, yes for some, example eventID 4625 is bad password and we know that, and we can look for that.

As you said its not a bad a password, so this is really a Microsoft related issue, its not Splunk. Splunk is designed to ingest logs file, as you have done via AD, and we search those logs to find information, but if that data, eventID or information is not in the log file then we can can't search for it.

May be look at some of Microsoft forums and post a question there, they may be able to help debug the issue or even tell you what eventID that is to this issue, if there is such an eventID.