0

I have a rather frustrating issue involving a single user in Active Directory whose failed logon count on the PDC jumps up to 5 every 10 minutes or so and gets locked out.

Now the "mystery" part is that I cannot find any Audit Failure log entries on the DC (all advanced audit policies are enabled).

I have been using the Microsoft Account Lockout tool to try pinpoint where the issue is occurring; the bad password attempts are all occurring on the single, primary Domain Controller.

I am losing my mind at this point. Any tips/pointers greatly appreciated.

Cheers!

gm777
  • 21
  • 5
  • To clarify, you have all entries set to log Failures on the DC? (Not enough rep to comment) – Ijustpressbuttons Nov 10 '15 at 00:33
  • Hi there, yes, they are all set to log failures. I can see failed attempts for other accounts, just not this one! – gm777 Nov 10 '15 at 01:10
  • @Ijustpressbuttons FYI the reputation system is there for a reason, please don't post an answer until you have one. Before long, you will have enough rep to post comments. – EEAA Nov 10 '15 at 01:26
  • Powershell article for searching PDC security event logs once logging is enabled. . . http://www.tomsitpro.com/articles/powershell-active-directory-lockouts,2-848.html and another too perhaps. . . http://mikefrobbins.com/2013/11/29/powershell-script-to-determine-what-device-is-locking-out-an-active-directory-user-account/ – Pimp Juice IT Nov 10 '15 at 03:58

1 Answers1

1

Check the audit policy subcategory setting. You should also use regedit and gpedit.msc to confirm the actual setting on the domain controller(s), in addition to GPMC.

Windows Settings > Security Settings > Local Policy > Security Options:

"Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing group policy may override the subcategory settings of new machines as they are joined to the domain or upgraded to Windows Vista or later versions. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.

If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set.

Default: Enabled"

enter image description here

Greg Askew
  • 34,339
  • 3
  • 52
  • 81