Account Lockout Best Practices

Account Passwords and Policies
Microsoft Windows NT Server 4.0, Windows 2000, Windows XP, and

the Windows Server 2003 a!il"
Ramesh Chinta, Program Manager, Microsoft Corporation
Mike Danseglio, Technical Writer, Microsoft Corporation
Mike Resnick, Technical Lead, Microsoft Corporation
Ac#nowled$e!ents
Vincent Abella, Technical Editor, Microsoft Corporation
en !a"er, Technical Writer, Microsoft Corporation
Emil" Moon, Technical Editor, #$T %n#ite
oseph Vasil, #&pport Engineer, Microsoft Corporation
%ntroduction
Pass'ord and acco&nt locko&t settings are designed to protect acco&nts and data in "o&r
organi(ation b" mitigating the threat of br&te force g&essing of acco&nt pass'ords) #ettings in the
Acco&nt Locko&t and Pass'ord Polic" nodes of the Defa&lt Domain polic" settings enable
acco&nt locko&t and control ho' acco&nt locko&t operates) This 'hite paper describes ho' these
settings affect acco&nt locko&t and makes some general recommendations for config&ring and
tro&bleshooting acco&nt locko&t iss&es)
Account &oc#out and Password 'once(ts
Pass'ords are an important step in a sec&rit" plan for "o&r net'ork) *sers ma" see pass'ords
as a n&isance+ ho'e,er, the sec&rit" of "o&r enterprise relies on a combination of pass'ord
length, pass'ord &ni-&eness, and pass'ord lifespan) These three items help defend against
dictionar" attacks and br&te force attacks) A dictionar" attack occ&rs 'hen a malicio&s &ser tries
kno'n 'ords that are in the dictionar" and a n&mber of common pass'ord names to tr" and
g&ess a pass'ord) A br&te force attack occ&rs 'hen a malicio&s &ser tries all of the possible
perm&tations &ntil one is s&ccessf&l)
!eca&se most &sers prefer pass'ords that the" can easil" remember, dictionar" attacks are often
an effecti,e method for a malicio&s &ser to find a pass'ord in significantl" less time than the"
'o&ld 'ith br&te force attacks) Therefore, the strength of a pass'ord depends on ho' man"
characters are in the pass'ord, ho' 'ell the pass'ord is protected from being re,ealed b" the
o'ner, ho' 'ell the pass'ord is protected if it is intercepted b" a malicio&s &ser on the net'ork,
and ho' diffic&lt the pass'ord is to g&ess) E,en good pass'ords that are protected b"
cr"ptograph" on the net'ork and that are not s&b.ect to dictionar" attacks can be disco,ered b"
br&te force in a fe' 'eeks or months b" a malicio&s &ser 'ho intercepts the pass'ord on the
net'ork)
C&rrentl", se,eral attack methods are based on g&essing 'eak pass'ords b" &sing dictionar"
and br&te force attacks) /or a fe' simple 'a"s to help pre,ent these attacks, see 0Protecting
from E1ternal Locko&t Denial of #er,ice Attacks0 in this doc&ment for ports to block and registr"
,al&es that "o& can set to help pre,ent s&ch attacks)
/re-&entl", a malicio&s &ser 'ill g&ess a n&mber of pass'ords d&ring a pass'ord2based attack)
To help pre,ent the attacks from being s&ccessf&l, "o& can config&re acco&nt locko&t settings)
The res&lt of this config&ration is that the associated acco&nt is temporaril" disabled after a
specified n&mber of incorrect pass'ords are tried) This helps to pre,ent a s&ccessf&l attack b"
pre,enting the acco&nt from being &sed) 3o'e,er, a legitimate &ser cannot &se that acco&nt &ntil
it is &nlocked) This paper disc&sses the balance bet'een the benefits and risks of acco&nt
locko&t)
)nderstandin$ Password 'o!(le*it"
A comple1 pass'ord that is enforced b" the operating s"stem is one of the most effecti,e
methods that "o& can &se to deter the opport&nit" for a s&ccessf&l attack) When "o& config&re
both an e1piration time and a minim&m length for a pass'ord, "o& decrease the time in 'hich a
s&ccessf&l attack co&ld occ&r) /or e1ample, 'hen "o& enforce pass'ord comple1it" 'ith a
pass'ord length of 4 and set the pass'ord to e1pire in 45 da"s, a &ser can choose from a
perm&tation of6
74 lo'ercase characters
74 &ppercase characters
87 special characters
95 n&mbers
This means that6
74 : 74 : 87 : 95 ; <= possible characters in a pass'ord
Pass'ord length polic" ; 4
<=
4
; 4><,>4<,?>9,5@4 &ni-&e pass'ord perm&tations
With a 452da" pass'ord e1piration time, the malicio&s &ser 'o&ld ha,e to make 988,5?4
pass'ord attempts e,er" second to attempt all of the possible pass'ords d&ring that pass'ordAs
limited lifetime) Bf it takes onl" @5 percent of the perm&tations to g&ess the pass'ord, a malicio&s
&ser 'o&ld ha,e to attempt to log on to the comp&ter abo&t 44,@8> C988,5?4 D )@5E times e,er"
second to disco,er the pass'ord before it e1pires)
To decrease the chances that a malicio&s &ser has to disco,er the pass'ord, "o& can &se a
pass'ord length of ?) When "o& set the minim&m pass'ord length to ?, the possible pass'ord
perm&tations e1ceed 4= trillion C<=
?
; 4=,>=?,?@<,=9<,74=E) When "o& compare the calc&lations
abo,e that ha,e a pass'ord length of 4 to the calc&lations belo' that ha,e a pass'ord length
of ?, "o& 'ill notice that the malicio&s &ser 'o&ld ha,e to log on to the comp&ter abo&t 4,7@=,454
times for each second that the pass'ord is ,alid in the 452da" e1piration time that "o& set)
The follo'ing list describes ho' increasing pass'ord length deters both dictionar" and br&te
force attacks) Fote that the e1amples that are in this list ass&me that "o& are ha,e applied a
polic" that re-&ires &sers to create comple1 pass'ords) When "o& do this, there are <= possible
characters from 'hich the &sers can choose their pass'ord)
4 characters6 <=
4 ;
4><,>4<,?>9,5@4
? characters6 <=
? ;
4=,>=?,?@<,=9<,74=
> characters6 <=
> ;
4,5<@,4><,8>@,=95,>94
< characters6 <=
< ;
@?7,<<=,>57,77>,494,?5=
95 characters6 <=
95 ;
@8,>49,@99,=5<,=><,<?5,9?4
Note A fe' of these pass'ord possibilities are not ,alid) !" defa&lt, &sers cannot
choose an" part of their &ser name for their pass'ord and the" cannot &se all of the
same characters as a pass'ord) !eca&se of this, these pass'ord possibilities m&st be
ded&cted from the total n&mber of possible pass'ords that are listed abo,e) !eca&se
there are ,er" fe' pass'ords that appl" to these e1ceptions and beca&se the n&mber of
pass'ords that do appl" to these e1ceptions can ,ar" Cbased on the n&mber of letters
that are in the &serAs logon nameE, this doc&ment does not acco&nt for these e1ceptions)
These statistics e1plain ho' diffic&lt it is for a malicio&s &ser to disco,er a pass'ord 'hen "o&
re-&ire the &sers in "o&r net'ork to &se a comple1 pass'ord) !eca&se of this, Microsoft
recommends that "o& enforce a comple1 pass'ord polic" that re-&ires &sers to choose
pass'ords 'ith a specific n&mber of characters for the sec&rit" needs of "o&r organi(ation) The
0Pass'ord Policies #ettings0 section in this doc&ment describes the comple1 pass'ord policies
and settings for Microsoft Windo's FT #er,er =)5, the Windo's 7555 famil", and the
Windo's #er,er 7558 famil" of operating s"stems)
Microsoft recommends that "o& &se the acco&nt locko&t feat&re to help deter malicio&s &sers and
some t"pes of a&tomated attacks from disco,ering &ser pass'ords) The follo'ing section
pro,ides more information abo&t ho' "o& can &se the acco&nt locko&t feat&re)
Authentication
A&thentication is the process of ,alidating a &ser name and pass'ord on a domain controller for6
The initial logon to either a 'orkstation or domain that &ses the CTRL:ALT:DELETE sec&re
logon se-&ence)
An attempt to &nlock a locked 'orkstation b" &sing the CTRL:ALT:DELETE sec&re logon
se-&ence)
An attempt to t"pe a pass'ord for a pass'ord2protected screen sa,er)
A &ser, script, program, or ser,ice that attempts to connect to a net'ork reso&rce b" &sing
either a mapped dri,e or a *ni,ersal Faming Con,ention C*FCE path)
Note An acco&nt that is locked o&t ma" still be able to gain access to some reso&rces if
the &ser has a ,alid Gerberos ticket to the reso&rce) The abilit" to access the reso&rce
ends 'hen the Gerberos ticket e1pires) 3o'e,er, neither a &ser 'ho is locked o&t nor a
comp&ter acco&nt can rene' the ticket) Gerberos cannot grant a ne' ticket to the
reso&rce beca&se the acco&nt is locked o&t)
There are t'o primar" a&thentication protocols &sed b" Windo's6 FTLM and Gerberos) This
paper ass&mes "o& are familiar 'ith these a&thentication protocols and does not foc&s on
a&thentication details) Bnstead, the foc&s is placed on ho' a&thentication pla"s a role in acco&nt
locko&t) /or more information on a&thentication protocols, see online help in Windo's HP and the
Windo's #er,er 7558 famil")
+ow ,o!ain 'ontrollers -erif" Passwords
To ill&strate the a&thentication process, the follo'ing diagram describes the steps that occ&r
'hen a logon attempt does not 'ork)
i$ure . Process for a ailed &o$on Atte!(t
1. The client comp&ter presents the &ser logon information to a domain controller) This incl&des
the &serIs acco&nt name and a cr"ptographic hash of their pass'ord) This information can be
sent to an" domain controller and is t"picall" sent to the domain controller that is identified as
the closest domain controller to the client comp&ter)
2. When a domain controller detects that an a&thentication attempt did not 'ork and a condition
of #TAT*#JWR%FKJPA##W%RD, #TAT*#JPA##W%RDJEHPBRED,
#TAT*#JPA##W%RDJM*#TJC3AFKE, or #TAT*#JACC%*FTJL%CGEDJ%*T is
ret&rned, the domain controller for'ards the a&thentication attempt to the primar" domain
controller CPDCE em&lator operations master) Essentiall", the domain controller -&eries the
PDC to a&thoritati,el" determine if the pass'ord is c&rrent) The domain controller -&eries the
PDC for this information beca&se the domain controller ma" not ha,e the most c&rrent
pass'ord for the &ser b&t, b" design, the PDC em&lator operations master al'a"s has the
most c&rrent pass'ord)
3. The a&thentication re-&est is retried b" the PDC em&lator operations master to ,erif" that the
pass'ord is correct) Bf the PDC em&lator operations master re.ects the bad pass'ord, the
PDC em&lator operations master increments the /adPwd'ount attrib&te for that &ser ob.ect)
The PDC is the a&thorit" on the &serAs pass'ord ,alidit")
4. The failed logon res&lt information is sent b" the PDC em&lator operations master to the
a&thenticating domain controller)
5. The a&thenticating domain controller also increments its cop" of the /adPwd'ount attrib&te
for the &ser ob.ect)
6. The a&thenticating domain controller then sends a response to the client comp&ter that
notifies the domain controller that the logon attempt did not 'ork)
As long as that &ser, program, or ser,ice contin&es to send incorrect credentials to the
a&thenticating domain controller, logon attempts that failed beca&se of an incorrect pass'ord
contin&e to be for'arded to the PDC &ntil the threshold ,al&e for incorrect logon attempts is
reached Cif "o& set it in a polic"E) When this occ&rs, the acco&nt is locked o&t)
/or more information, see 03o' the !ad Pass'ord Co&nt Bs Bncremented in Windo's FT0 in the
Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;79<><>)
New eatures in the Windows Server 2003 a!il"
Bn the Windo's #er,er 7558 famil" of operating s"stems, Microsoft has impro,ed the f&nction of
the Acco&nt Locko&t feat&re on both ser,ers and client comp&ters)
'o!(uters 0unnin$ Windows Server 2003 That Act As Networ# Servers
To impro,e the e1perience for &sers and to decrease the o,erall total cost of o'nership, Microsoft
made the follo'ing changes to the beha,ior of domain controllers in the Windo's #er,er 7558
famil"6
Password histor" chec# 1N2236 !efore a Windo's #er,er 7558 operating s"stem
increments /adPwd'ount, it checks the in,alid pass'ord against the pass'ord histor") Bf the
pass'ord is the same as one of the last t'o entries that are in the pass'ord histor",
/adPwd'ount is not incremented for both FTLM and the Gerberos protocol) This change to
domain controllers sho&ld red&ce the n&mber of locko&ts that occ&r beca&se of &ser error)
Sin$le user o/4ect 5on de!and6 re(lication6 #ee the 0*rgent Replication0 section in this
doc&ment for more information)
7(ti!i8ed re(lication fre9uenc"6 The defa&lt fre-&enc" for replication bet'een sites is to
replicate e,er" 8 ho&rs) This optimi(ation impro,es the replication of a pass'ord change in a
site beca&se it decreases the chances that the domain controller 'o&ld ha,e to contact the
PDC operations master)
'o!(uters 0unnin$ Windows Server 2003 a!il" Actin$ As Networ# 'lients
Microsoft has added the follo'ing feat&res in the Windo's #er,er 7558 famil" to gather the
process BD that is &sing the credentials that fail a&thentication6
Auditin$ lo$on chan$es6 There are entries for all logon and logoff e,ents C@7> and @=5, as
'ell as @7< thro&gh @8<E)
Auditin$ of (rocesses encounterin$ authentication failures6 Fe' information is added to
the #ec&rit" e,ent log 'hen a&thentication fail&res occ&r6
Caller *ser Fame
Caller Domain
Caller Logon BD
Caller Process BD
Note To &se the process BD, t&rn on s&ccess a&diting for Audit (rocess trac#in$
e,ents so that "o& can obtain the process identifier CPBDE for the associated E,ent @<7) Bf
"o& do not do this, the PBD is not &sef&l after the process stops) To ,ie' a&dit process
tracking, in the Kro&p Polic" Microsoft Management Console CMMCE, in the console tree,
do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click
Securit" Settin$s, do&ble2click &ocal Policies, and then do&ble2click Audit Polic")
Microsoft has added the follo'ing administrati,e enhancements to pro,ide more acco&nt locko&t
information than the information that is a,ailable in the defa&lt config&ration of the Windo's
#er,er 7558 famil"6
Acct%nfo.dll6 The AcctBnfo)dll file is a propert" page e1tension for &ser ob.ects in the Acti,e
Director" *sers and Comp&ters MMC that pro,ides detailed information abo&t &ser pass'ord
attrib&tes) An administrator can &se the AcctBnfo)dll file to reset &ser acco&nt pass'ords on a
domain controller that is in the &serAs Acti,e Director" site)
&oc#outStatus.e*e6 The Locko&t#tat&s)e1e tool displa"s bad pass'ord co&nt and time
information from all of the domain controllers that are in a domain) Oo& can r&n this tool as
either a stand2alone tool or as an e1tension to the AcctBnfo)dll file 'hen "o& place it in the
SystemrootP#"stem87 folder on "o&r comp&ter)
More information abo&t both AcctBnfo)dll and Locko&t#tat&s)e1e is a,ailable in 0Acco&nt Locko&t
Tools0 in this doc&ment)
'onfi$urin$ Account &oc#out Settin$s
To enable the Acco&nt Locko&t polic" settings for both domain and local &sers, config&re the
settings that are described in this section)
0eco!!ended Service Pac#s and +otfi*es
#ec&rit" iss&es in Windo's operating s"stems are disco,ered and fi1ed often) These fi1es often
ha,e an impact on acco&nt locko&t and pass'ord polic" feat&res, as 'ell as their dependent
components) Therefore, "o& sho&ld appl" the latest ser,ice packs and hotfi1es to all of the
domain controllers, ser,ers, and clients to ens&re that the acco&nt sec&rit" settings that "o& 'ant
are applied and to ens&re that the domain controllers and operating s"stems are &p2to2date) Fote
that ser,ice packs resol,e gro&ps of iss&es and hotfi1es resol,e a specific iss&e)
Oo& sho&ld ha,e an ongoing strateg" to keep "o&r comp&ters &pdated and protected against
,ir&ses, tro.ans, and so on, that ma" &se ,&lnerabilities that are alread" fi1ed) /or more
information abo&t ho' to create a soft'are &pdate strateg", refer to 3elp and #&pport Center in
the Windo's #er,er 7558 famil" and Windo's HP, or refer to 3elp in Windo's 7555)
!eca&se these iss&es are disco,ered and fi1ed on an ongoing basis, the" are not listed in this
doc&ment) /or more information, see 0#er,ice Packs and 3otfi1es A,ailable to Resol,e Acco&nt
Locko&t Bss&es0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;>9??59)
'onfi$urin$ Account &oc#out
The acco&nt locko&t polic" settings are designed to help pre,ent a br&te force attack on &ser
pass'ords) This section describes 'here "o& can config&re the setting, as 'ell as some things
that "o& sho&ld consider before "o& &se the settings)
'onfi$urin$ Account &oc#out for ,o!ain )sers
/or domain &sers, set the appropriate ,al&es b" config&ring the defa&lt domain polic" in the
console tree) To config&re the defa&lt domain polic", open the Kro&p Polic" MMC, do&ble2click
'o!(uter 'onfi$uration, do&ble2click Windows Settin$s, do&ble2click Securit" Settin$s,
do&ble2click Account Policies, and then do&ble2click Account &oc#out Polic") /or more
detailed steps, see 0Acco&nt Locko&t #ettings0 in this doc&ment)
'onfi$urin$ Account &oc#out for &ocal )sers
/or a stand2alone 'orkstation, set the appropriate registr" ,al&es b" config&ring the local polic"6
1. Click Start, click 0un, t"pe $(edit.!sc, and then press EFTER)
2. Bn the Kro&p Polic" %b.ect Editor MMC, do&ble2click 'o!(uter 'onfi$uration, do&ble2click
Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click Account Policies, and
then do&ble2click Account &oc#out Polic")
3. Bn the details pane, right2click the polic" setting that "o& 'ant, and then click Pro(erties)
4. Bf "o& are defining this polic" setting for the first time, click ,efine this (olic" settin$)
5. #elect the options that "o& 'ant, and then click 7:)
Microsoft recommends that "o& do not e1empt the pri,ileged acco&nts from pass'ord policies)
Oo&r pri,ileged acco&nts sho&ld ha,e comple1 pass'ords, an e1piration period, and the
pass'ords sho&ld be a minim&m of fifteen characters in length) Microsoft also recommends that
"o& also protect the local acco&nts Cnon2domain clientsE b" &sing a local pass'ord polic" for all
&sers) /or all 'orkstations in a domain, set a domain2le,el Kro&p Polic" ob.ect CKP%E and filter it
to appl" to the domain member comp&ter)
'hoosin$ Account &oc#out Settin$s for ;our ,e(lo"!ent
This section describes the ramifications of changing the ,ario&s settings and a 'a" to estimate
the diffic&lt" of &sing the br&te force method of pass'ord g&essing 'ith a certain config&ration)
Like other settings that are associated 'ith pass'ords, choosing settings for acco&nt locko&t
in,ol,es balancing the benefits and dra'backs bet'een sec&rit", &sabilit", and cost) The primar"
consideration is ho' m&ch risk is acceptable 'hen "o& config&re the pass'ord polic" of the
domain) /or e1ample, consider the follo'ing t'o domain config&rations6
*ser acco&nts that are in domain A ha,e a minim&m pass'ord length of 8 characters, no
pass'ord comple1it" re-&irements, and pass'ords ne,er e1pire)
*ser acco&nts that are in domain ! ha,e a minim&m pass'ord length of 4 characters,
pass'ord comple1it", and pass'ords in the domain e1pire in =7 da"s)
There is less risk of a malicio&s &ser g&essing the pass'ord of a domain ! &ser+ for the same
risk tolerance, domain ! can ha,e a less stringent acco&nt locko&t polic") Whether "o& set the
&oc#out,uration registr" ,al&e to 5 or not also has an important on the setting that is permitted
for both the 7/servationWindow and &oc#outThreshold registr" ,al&es)
As an e1ample, ass&me that the administrator resets the pass'ord 'hen the acco&nt is locked
'ith &oc#out,uration registr" ,al&e of 5) With the &oc#out,uration registr" ,al&e set to 5 and
the &oc#outThreshold registr" ,al&e set to 75, the malicio&s &ser has 75 g&esses to &se against
that pass'ord) Bf the locko&t d&ration is 85 min&tes, the malicio&s &ser has 75 g&esses e,er"
85 min&tes against that pass'ord &ntil it is changed) This is a ,er" significant difference in the
total n&mber of g&esses that are a,ailable to the malicio&s &ser)
Bn comparison, if the administrator sets the ma1im&m pass'ord age to =7 da"s, the first malicio&s
&ser has onl" 75 g&esses against an" gi,en pass'ord, 'hile the second malicio&s &ser has
=5,875 g&esses C75 tries for e,er locko&t, m&ltiplied b" => locko&ts e,er" da", m&ltiplied b"
=7 da"s before the &ser changes the pass'ordE) With the defa&lt pass'ord settings, there are
appro1imatel" 95
97
possible pass'ords) This means that the malicio&s &ser has appro1imatel" a )
55555= percent CQE chance of g&essing the pass'ord) With an optimi(ed g&essing scheme, this
percentage 'o&ld most likel" be a larger percentage)
This e1ample demonstrates that setting the &oc#out,uration registr" ,al&e to 5 allo's the
&oc#outThreshold registr" ,al&e to be a significantl" higher n&mber for e-&i,alent risk
tolerance) Bf "o& increase the &oc#outThreshold registr" ,al&e, "o& help to red&ce the beha,ior
of a &ser accidentall" locking themsel,es o&t of their comp&ter)
When "o& choose the setting for acco&nt locko&t, it is important that "o& consider the inherent
denial of ser,ice that is associated 'ith a locked o&t acco&nt) Bdeall", the onl" acco&nts that are
locked o&t are the acco&nts that are being attacked) 3o'e,er, the comp&ter cannot determine
the difference bet'een a &ser t"ping an incorrect pass'ord or an a&tomated task that is &sing an
incorrect pass'ord) As a res&lt, from the &serIs perspecti,e, &sers 'ho are tr"ing to perform their
dail" tasks ma" be s&ddenl" &nable to perform their 'ork, 'hich inc&rs both the cost of s&pport to
the domain and the cost of lost 'ork) The lo'er the ,al&e that "o& set for the &oc#outThreshold
registr" ,al&e, the more likel" this beha,ior is to occ&r) The length of the 7/servationWindow
registr" ,al&e has m&ch less effect on this beha,ior than the &oc#outThreshold registr" ,al&e)
Microsoft recommends that "o& reg&larl" re,ie' the #ec&rit" e,ent logs of all comp&ters so that
"o& are a'are of an" patterns that might sho' an attack or &ser error) The ,al&es that are
necessar" to identif" specific malicio&s &sers and targets can be obtained onl" after "o&
implement the a&diting policies that are mentioned in the 0Appendi1 T'o6 Kathering Bnformation
to Tro&bleshoot Acco&nt Locko&t Bss&es0 section in this doc&ment) Microsoft offers an e,ent log
monitoring sol&tion, Microsoft %perations Manager CM%ME, that "o& can script 'ith responses)
This tool also has man" other b&ilt2in actions that "o& can &se) /or more information abo&t M%M,
see the M%M Web sitehttp6MM''')microsoft)comMmomMdefa&lt)asp)
Note Web addresses can change, so "o& might be &nable to connect to the Web site or
sites mentioned here)
&oc#outThreshold vs. 7/servationWindow
Bn general, the &oc#outThreshold ,al&e has more of an effect on ho' the comp&ter beha,es
than the 7/servationWindow ,al&e) Most logon attempts that do not 'ork occ&r d&ring a ,er"
short period of time) !eca&se of this, the period of time is inside of the 7/servationWindow
time) *sers rarel" t"pe a bad pass'ord man" times in a ro', so the &oc#outThreshold ,al&e is
rarel" e1ceeded) The e1ception to this is the en,ironment 'here the &oc#outThreshold registr"
,al&e is set so lo' that a &ser co&ld accidentall" mist"pe their pass'ord often eno&gh to lock
themsel,es o&t Cfor e1ample, if "o& set the &oc#outThreshold ,al&e to 7E) Malicio&s pass'ord
attacks are almost al'a"s a&tomated) A &ser t"picall" locks themsel,es o&t of their comp&ter
'hen the" t"pe a bad pass'ord once and tr" to t"pe that same bad pass'ord o,er and o,er
again)
0eco!!ended Account &oc#out Settin$s
The sec&rit" config&ration for an organi(ation is determined b" the le,el of protection that is
re-&ired in the organi(ationAs en,ironment) Bn some lo'2sec&rit" scenarios Cs&ch as in a small
office 'here no sensiti,e information is stored in the s"stemE, a simple pass'ord polic" ma" be
s&fficient to protect the reso&rces) 3o'e,er, in a high2sec&rit" en,ironment Cs&ch as in a banking
s"stemE, m&ch stronger sec&rit" protection is desired) Oo& sho&ld &se acco&nt locko&t and strong
pass'ord policies in these en,ironments) Bn all e1amples, the stronger the sec&rit" that is
implemented, the higher the cost that is associated 'ith maintaining that sec&rit")
The follo'ing table pro,ides recommended acco&nt locko&t settings for man" different sec&rit"
config&rations)
Ta/le . 0eco!!ended Account &oc#out Settin$s
Securit"
cate$or"
Account loc#out settin$s
'ost
Threshold
7/servation
window
&oc#out
duration
&ow
FMA FMA FMA
&ow
Mediu!
95 85 85
Mediu!
+i$h
95 85 BnfiniteM5
+i$h
Note 0Cost0 incl&des do'ntime cost for the &ser 'hose acco&nt is locked o&t, as 'ell as
s&pport cost for ser,icing the locked o&t acco&nt)
0eco!!ended Password Polic" Settin$s
The table belo' pro,ides recommended pass'ord polic" settings for ,ario&s sec&rit"
config&rations)
Ta/le 2 0eco!!ended Password Polic" Settin$s
Securit"
'ate$or"
Password (olic" settin$s
'ost
Password
histor"
Ma*i!u!
(assword
a$e
Mini!u!
(assword
a$e
Mini!u!
(assword
len$th
'o!(le*it"
&ow
8 =7 5 5 disabled
&ow
Mediu!
7= =7 9 ? enabled
Mediu!
+i$h
7= =7 9 > enabled
+i$h
<eneral 0eco!!endations for Account &oc#out and Password
Polic" Settin$s
Bn addition to the specific acco&nt locko&t and pass'ord polic" settings in the pre,io&s tables,
there are some other config&ration changes that ma" help "o& achie,e the le,el of sec&rit" that
"o& 'ant) These incl&de6
When "o& enable acco&nt locko&t, set the orce)nloc#&o$on registr" ,al&e to 9) This
setting re-&ires that Windo's re2a&thenticates the &ser 'ith a domain controller 'hen that
&ser &nlocks a comp&ter) This helps to ens&re that a &ser cannot &se a pre,io&sl"2cached
pass'ord to &nlock their comp&ter after the acco&nt is locked o&t)
/alse locko&ts can occ&r if "o& set the &oc#outThreshold registr" ,al&e to a ,al&e that is
lo'er than the defa&lt ,al&e of 95) This is beca&se &sers and programs can retr" bad
pass'ords fre-&entl" eno&gh to lock o&t the &ser acco&nt) This adds to administrati,e costs)
After "o& &nlock an acco&nt that is locked o&t, ,erif" that the &oc#out,uration ,al&e is set)
Oo& sho&ld do this beca&se the ,al&e ma" ha,e changed d&ring the acco&nt &nlock process)
Caref&ll" consider setting the &oc#out,uration registr" ,al&e to 5) When "o& appl" this
setting, "o& ma" inc&r additional administrati,e labor b" re-&iring administrators to man&all"
&nlock a locked o&t &ser acco&nt) Altho&gh this does increase sec&rit", the increased labor
dra'back ma" o&t'eigh the sec&rit" benefit)
Define acco&nt locko&t and pass'ord policies once in e,er" domain) Ens&re that these
policies are defined onl" in the defa&lt domain polic") This helps to a,oid conflicting and
&ne1pected polic" settings)
*nlock an acco&nt from a comp&ter that is in the same Acti,e Director" site as the acco&nt)
!" &nlocking the acco&nt in the local site, &rgent replication occ&rs in that site 'hich triggers
immediate replication of the change) !eca&se of this, the &ser acco&nt sho&ld be able to
regain access to reso&rces faster than 'aiting for replication to occ&r) Fote that the
AcctBnfo)dll tool helps to identif" an appropriate domain controller and &nlock the acco&nt) /or
more information abo&t AcctBnfo)dll, see the 0Acco&nt Locko&t Tools0 section in this
doc&ment)
Protectin$ fro! =*ternal Account &oc#out ,enial of Service Attac#s
Bt is possible for a malicio&s &ser to la&nch a denial2of2ser,ice attack against "o&r enterprise from
o&tside of "o&r net'ork) !eca&se most net'orks are interconnected, this can be a diffic&lt attack
to mitigate) The follo'ing techni-&es technologies are common techni-&es and technologies that
"o& can &se to help mitigate or pre,ent s&ch attacks6
0e9uire co!(le* (asswords6 All acco&nts sho&ld ha,e a comple1 pass'ord) All
administrator acco&nts Clocal and domainE sho&ld ha,e a long, comple1 pass'ord and "o&
sho&ld change the pass'ord reg&larl")
0ena!e the ad!inistrator account6 !eca&se the administrator acco&nt cannot be locked
o&t, it is recommended that "o& rename the acco&nt) Altho&gh this does not mitigate all of the
attacks against the administrator acco&nt, it does help mitigate these attacks most of the
time) /or more information, see 03%W T%6 Rename the Administrator and K&est Acco&nt in
Windo's 75550 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;8755@8)
Protect "our environ!ent with firewalls6 To a,oid an acco&nt locko&t denial of ser,ice
attack, block the TCP and *DP ports 98@ thro&gh 98< and port ==@ on "o&r ro&ters and
fire'alls) When "o& do this, "o& pre,ent logon attempts that occ&r o&tside of "o&r net'ork)
Prevent anon"!ous access6 #et the 0estrictAnon"!ous ,al&e to 7 on all comp&ters that
are e1posed to the internet and to the entire domain if all of the comp&ters are r&nning
,ersions of Windo's 7555 or later) This stops malicio&s &sers from making anon"mo&s
connections to reso&rces and ma" help defeat some t"pes of attacks) Fote that some
operating s"stems ha,e limited s&pport for comp&ters that ha,e this setting) #ome programs
ma" also ha,e iss&es 'ith this setting if the programs &se an anon"mo&s connection to gain
access to reso&rces) /or more information, see 03o' to *se the 0estrictAnon"!ous
Registr" Val&e in Windo's 75550 on the Microsoft Gno'ledge
!asehttp6MMs&pport)microsoft)comMNid;7=4749)
Protect site2to2site traffic /" usin$ a -PN tunnel6 Bf comm&nication bet'een domain
members in t'o sites is re-&ired, &se a site2to2site VPF t&nnel to sec&rel" connect site
net'orks together) Do not open all Fet!B%# ports on the fire'all) Oo& can &se the
Windo's 7555 #er,er Ro&ting and Remote Access ser,ice to create site2to2site VPF t&nnels)
Bf no VPF de,ices are a,ailable, "o& sho&ld config&re the edge fire'all or ro&ter filters to limit
the traffic that is permitted to flo' bet'een the Bnternet Protocol CBPE address ranges that are
&sed b" each site) Bf sites need to &se Acti,e Director" replication onl" across the Bnternet,
then &se Bnternet Protocol sec&rit" CBP#ecE transport mode thro&gh the fire'alls to sec&re all
traffic bet'een Acti,e Director" ser,ers) /or more information abo&t Acti,e Director"
replication thro&gh fire'alls, see the 0Acti,e Director" Replication o,er /ire'alls0 'hite paper
on the Microsoft Web siteL
http6MM''')microsoft)comMser,icepro,idersMcol&mnsMconfigJipsecJp48478)asp)
Protectin$ authentication and Net>%7S (orts fro! %nternet attac#6 %n either the fire'all
or the ro&ter that connects "o&r internal net'ork to the Bnternet, block access to TCP and
*DP ports 98@ thro&gh 98< and port ==@) Bf no edge filtering de,ice is a,ailable, "o& can &se
BP#ec filters to block these ports) To do this, &se the config&ration that is described in 03o'
to !lock #pecific Fet'ork Protocols and Ports b" *sing BP#ec0 on the Microsoft Gno'ledge
!aseLhttp6MMs&pport)microsoft)comMNid;>98>?>)
Bn the same BP#ec polic", "o& m&st create an additional r&le that adds filters to permit traffic
to these ports 'hen the so&rce address is in a s&bnet that is &sed b" the internal net'ork) To
do this, &se the config&ration that is described in 03o' to !lock #pecific Fet'ork Protocols
and Ports b" *sing BP#ec0 on the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMN
id;>98>?>)
Protectin$ authentication and Net>%7S (orts fro! internal attac#6 Bf "o& m&st protect
access to both a&thentication and Fet!B%# ports from internal malicio&s &sers, "o& can
restrict the comp&ters that are permitted to gain access to these ports to onl" domain
member comp&ters b" &sing the feat&re in BP#ec that allo's "o& to negotiate sec&rit") !"
allo'ing onl" tr&sted comp&ters Cdomain member comp&tersE to gain access to both
a&thentication and Fet!B%# ports, "o& red&ce the n&mber of comp&ters that can perform the
attack) This e1tra protection pro,ides a defense against an" breaches in "o&r sec&rit"
perimeter and against malicio&s &sers 'ho can connect to the internal net'ork) /or
information abo&t ho' to create a c&stom BP#ec polic" to &se Gerberos a&thentication 'hen
negotiating BP#ec sec&rit" for access to TCP and *DP ports 98@ thro&gh 98< and port ==@
see the 0#tep2b"2#tep K&ide to Bnternet Protocol #ec&rit" CBP#ecE0 on the Microsoft Web siteL
http6MM''')microsoft)comM'indo's7555MtechinfoMplanningMsec&rit"Mipsecsteps)asp)
)(date the server6 Geep all of "o&r ser,ers &p2to2date 'ith c&rrent ,ersions of anti,ir&s
soft'are, fire'all soft'are, and Windo's sec&rit" patches) This helps pre,ent tro.an horse
programs and ,ir&ses from attacking "o&r reso&rces if the malicio&s &ser can la&nch an
attack from "o&r internal net'ork instead of from the Bnternet) These &pdates are an
important part of an in2depth and defensi,e sec&rit" strateg")
,etails of Account &oc#out Settin$s and Processes
With the acco&nt locko&t feat&re enabled, access to the acco&nt is denied 'hen the n&mber of
logon attempts that did not 'ork e1ceeds the &oc#outThreshold registr" ,al&e Cthe acco&nt
locko&t thresholdE in a specified amo&nt of time) A locked2o&t acco&nt cannot be &sed &ntil it is
reset b" an administrator or &ntil the locko&t d&ration for that acco&nt e1pires)
Acco&nt Locko&t is disabled on defa&lt installations of Windo's FT #er,er =)5, Windo's 7555,
and Windo's #er,er 7558 domains) Acco&nt locko&t operation is enabled after the domain
administrator enables settings in the defa&lt domain polic") The polic" settings remain enabled
'hen "o& &pgrade domain controllers to a later ,ersion of an operating s"stem)
Altho&gh the Kro&p Polic" %b.ect Editor appears to s&pport acco&nt locko&t and pass'ord polic"
in each organi(ational &nit, these settings act&all" occ&r across the domain+ "o& m&st define the
settings on the root organi(ational &nit for the domain) Microsoft recommends that "o& define
acco&nt locko&t and pass'ord policies in onl" one Kro&p Polic" ob.ect CKP%E for e,er" domain
Cin the Defa&lt Domain polic" settingsE)
Password Polic" Settin$s
The first step that "o& sho&ld &se to sec&re "o&r net'ork is to enforce pass'ord polic" settings)
When "o& implement a sec&re pass'ord polic", "o& ma" not need to implement the acco&nt
locko&t feat&re)
Password 'o!(le*it"
Pass'ords, b" defa&lt, can incl&de an" combination of characters+ pass'ords can also be blank)
Microsoft recommends that "o& re-&ire the &se of comple1 pass'ords to help ens&re that
pass'ords pro,ide the best sec&rit" possible) These comple1 pass'ords are m&ch more
resistant to attack than blank or simple pass'ords)
To enforce pass'ord comple1it" in "o&r organi(ation, "o& can enable the Password !ust !eet
co!(le*it" re9uire!ents sec&rit" setting) The comple1it" re-&irements enforced b" this setting
are stored in Passfilt)dll) Bn Windo's 7555 operating s"stems and later, Passfilt)dll is b&ilt into the
operating s"stem) Bn Windo's FT #er,er =)5, "o& m&st add the Passfilt)dll file to the operating
s"stem to achie,e the same res&lts) Passfilt)dll is incl&ded in Windo's FT #er,er =)5 #er,ice
Pack 7 and in later ser,ice packs)
!" defa&lt, comple1 pass'ords enforced b" Passfilt)dll ha,e the follo'ing properties6
Do not contain all or part of the &serAs acco&nt name)
Contain characters from three of the follo'ing fo&r categories6
English &ppercase characters CA thro&gh RE)
English lo'ercase characters Ca thro&gh (E)
!ase295 digits C5 thro&gh <E)
Fon2alphan&meric Cfor e1ample, S, T, U, QE) e1tended A#CBB, s"mbolic, or ling&istic
characters)
Note Depending on "o&r en,ironment, &sing e1tended A#CBB, s"mbolic, or ling&istic
characters in pass'ords can ha,e &ne1pected res&lts) Bt is highl" recommended that "o&
test these characters before &sing them in prod&ction)
When implementing this polic", it is recommended to inform "o&r &sers of the change in
polic" so that a smooth transition can take place from a simple pass'ord to a comple1
pass'ord) %ther'ise, &sers ma" be conf&sed b" the ne' pass'ord criteria and
circ&m,ent sec&rit" to a,oid the diffic&lt")
Oo& can create and register "o&r o'n c&stom pass'ord filter if "o& 'ant to modif" the comple1it"
re-&irements enforced in the sec&rit" setting) /or information abo&t ho' to create a Passfilt)dll
file, see 0Pass'ord /ilters0 on the M#DF Web siteLhttp6MMmsdn)microsoft)comMlibrar"Mdefa&lt)aspN
&rl;Mlibrar"Men2&sMsec&rit"Msec&rit"Mpass'ordJfilters)asp)
Password +istor"
Oo& can &se the Pass'ord 3istor" setting to pre,ent &sers from repeatedl" &sing the same
pass'ord) When "o& &se the pass'ord histor" feat&re, a &ser is pre,ented from &sing pass'ords
that the" &sed in the past, &p to the n&mber of pass'ords that "o& specif") Oo& can config&re
Windo's to retain bet'een 5 and 7= pass'ords b" &sing the Pass'ord 3istor" feat&re) Microsoft
recommends that "o& set the pass'ord histor" to the ma1im&m ,al&e to help ens&re the least
amo&nt of pass'ord re&se b" &sers)
Bn the Windo's 7555 #er,er famil" and later, the location of the pass'ord histor" is in the Defa&lt
Domain polic" settings at Comp&ter Config&rationPWindo's #ettingsP#ec&rit" #ettingsPAcco&nt
PoliciesPEnforce Pass'ord 3istor")
Valid non2(ero ,al&es are bet'een 9 and 7=) The defa&lt ,al&e is 7= for domain controllers
r&nning a member of the Windo's #er,er 7558 famil", 8 for domain controllers r&nning a
member of the Windo's 7555 famil", and 5 for all other Windo's operating s"stems)
Mini!u! Password &en$th
Oo& can &se the Mini!u! Password &en$th setting to decrease the chances that a pass'ord
can be disco,ered b" a malicio&s &ser) /or more information abo&t the Mini!u! Password
&en$th settin$, see 0*nderstanding Pass'ord Comple1it"0 in this doc&ment)
Bn ,ersions of Windo's 7555 operating s"stems and later, "o& can change the Mini!u!
Password &en$th setting in the Kro&p Polic" MMC, in the ,efault ,o!ain polic" settings at
Comp&ter Config&rationPWindo's #ettingsP#ec&rit" #ettingsPAcco&nt PoliciesPPass'ord
Polic"PMinim&m Pass'ord Length)
An administrator can set the ,al&e bet'een 5 and 9= characters) Each additional character
increases the total possible pass'ord perm&tations) 3o'e,er, if "o& set the ,al&e to 5, blank
pass'ords are not permitted)
Valid non2(ero ,al&es are bet'een 9 and 9=, 'ith a defa&lt ,al&e of (ero)
Ma*i!u! Password A$e
Oo& can &se the Ma*i!u! Password A$e setting to limit the time for 'hich a gi,en pass'ord is
,alid) This decreases the odds of being able to crack a pass'ord) /or more information, see the
e1ample in the VPass'ordsW section in this doc&ment)
Bn the Windo's 7555 famil" and later, the Ma*i!u! Password A$e setting is located in the
Kro&p Polic" MMC, in the ,efault ,o!ain polic" at Comp&ter Config&rationPWindo's
#ettingsP#ec&rit" #ettingsPAcco&nt PoliciesPPass'ord Polic"PMa1im&m Pass'ord Age)
This setting determines the period of time Cin da"sE that a &ser can &se their pass'ord before the
comp&ter re-&ires the &ser to change it) Oo& can set pass'ords to e1pire in bet'een 9 and
<<< da"s, or "o& can specif" that pass'ords ne,er e1pire b" setting the n&mber of da"s to 5)
Valid non2(ero ,al&es are bet'een 9 and <<<, 'ith a defa&lt ,al&e of =7)
Mini!u! Password A$e
Oo& can &se the Mini!u! Password A$e setting to pre,enting &sers from repeatedl" changing
pass'ords &ntil the &ser is able to &se their original pass'ord, if "o& enforce the Password
+istor" setting)
When "o& &se the Mini!u! Password A$e setting, "o& pre,ent the circ&m,ention of pass'ord
e1piration and help to ass&re &ni-&e pass'ords)
The Mini!u! Password A$e setting determines the period of time Cin da"sE that a pass'ord
m&st be &sed before the &ser can change it) Oo& can set the ,al&e to bet'een 9 and <<< da"s, or
allo' immediate changes b" setting the n&mber of da"s to 5)
Config&re the Mini!u! Password A$e setting to be a n&mber that is larger than 5 if "o& 'ant
the =nforce Password +istor" setting to be effecti,e) Bf "o& do not set a minim&m pass'ord
age, &sers can repeatedl" c"cle thro&gh pass'ords &ntil the" are able to &se an old fa,orite
pass'ord) This co&ld allo' &sers to circ&m,ent established pass'ord polic")
The Mini!u! Password A$e setting is located in the Kro&p Polic" MMC, in Comp&ter
Config&rationPWindo's #ettingsP#ec&rit" #ettingsPAcco&nt PoliciesPPass'ord Polic")
Valid non2(ero ,al&es are bet'een 9 and <<<, 'ith a defa&lt ,al&e of one for domain controllers
and (ero for other comp&ters)
Account &oc#out Settin$s
Oo& can set the Acco&nt Locko&t settings in the Acti,e Director" *sers and Comp&ters MMC b"
&sing the proced&re in this section)
Note The ,al&e that "o& set for &oc#out,uration cannot be a ,al&e that is less than
7/erservationWindow)
1. Click Start, click Settin$s, click 'ontrol Panel, do&ble2click Ad!inistrative Tools, and then
do&ble2click Active ,irector" )sers and 'o!(uters)
2. Bn the console tree, right2click the domain on 'hich "o& 'ant to set a Kro&p Polic" ob.ect)
3. Click Pro(erties, and then click the <rou( Polic" tab)
4. Bn <rou( Polic" 7/4ect &in#s, click ,efault ,o!ain Polic" or create and name "o&r Kro&p
Polic" ob.ect, and then click =dit)
5. Bn the console tree, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s,
do&ble2click Securit" Settin$s, do&ble2click Account Policies, and then click Account
&oc#out Polic")
8. Click the options that "o& 'ant, and then click 7:)
7/servationWindow
The 7/servationWindow setting Calso kno'n in Kro&p Polic" as the 0eset account loc#out
counter after settingE is the n&mber of min&tes after 'hich an acco&ntIs /adPwd'ount registr"
,al&e is reset) Oo& can &se the 7/servationWindow setting to help mitigate locko&t iss&es that
are initiated b" &sers) When "o& enable this setting, the bad pass'ord attempt is remo,ed from
the ser,er after a period of time)
Valid non2(ero ,al&es are bet'een 9 and <<<<<, 'ith a defa&lt ,al&e of 85)
&oc#out,uration
The &oc#out,uration setting Calso kno'n in Kro&p Polic" as the Account loc#out duration
settingE is the amo&nt of time, in min&tes, that acco&nt locko&t is enforced on an acco&nt that has
e1ceeded the &oc#out,uration registr" ,al&e, meas&red from the time of locko&t) Bf "o& set the
&oc#out,uration registr" ,al&e to 5, the acco&nt is permanentl" locked o&t &ntil either an
administrator or a &ser 'ho has a delegated acco&nt resets the acco&nt) Bf the administrator or a
delegated &ser acco&nt does not &nlock the acco&nt, the operating s"stem &nlocks the acco&nt
after the n&mber of min&tes that "o& set in the &oc#out,uration registr" ,al&e) Fon2(ero ,al&es
for the &oc#out,uration registr" ,al&e red&ce the administrati,e o,erhead of &nlocking acco&nts
b" ha,ing them &nlocked a&tomaticall"+ ho'e,er, non2(ero ,al&es do not pro,ide the added
sec&rit" of &ser ,alidation before the acco&nt is restored)
Valid non2(ero ,al&es are bet'een 9 and <<<<<, 'ith a defa&lt ,al&e of 85)
&oc#outThreshold
The &oc#outThreshold setting Calso kno'n in Kro&p Polic" as the Account loc#out threshold
settingE is the n&mber of times that the &ser, comp&ter, ser,ice, or program can send a bad
pass'ord d&ring logon a&thentication before the acco&nt is locked o&t) Acco&nt locko&t occ&rs
'hen the /adPwd'ount registr" ,al&e is e-&al to or e1ceeds the &oc#outThreshold ,al&e) Oo&
can ad.&st the &oc#outThreshold ,al&e to pre,ent both br&te force and dictionar" attacks, b&t
"o& can set the ,al&e too lo' to capt&re &ser error and other non2attack errors) Administrators
often set this ,al&e too lo' C8 thro&gh @E, 'hich ca&ses a large n&mber of acco&nt locko&ts
beca&se of &ser error, program caching b" ser,ice acco&nts, or iss&es 'ith net'orking clients) Bf
"o& set the &oc#outThreshold ,al&e to 5, no acco&nt locko&ts occ&r on the domain)
Valid non2(ero ,al&es are bet'een 9 and <<<, 'ith a defa&lt ,al&e of (ero)
Account &oc#out -alues
Acco&nt locko&t registr" ,al&es are described in this section) These ,al&es store the information
that "o& need to track acco&nt locko&t information)
Note These ,al&es are maintained b" the operating s"stem, so "o& sho&ld not man&all"
modif" them)
/adPasswordTi!e
The /adPasswordTi!e ,al&e stores the last time that the &ser, comp&ter, or ser,ice acco&nt
s&bmitted a pass'ord that did not match the pass'ord on the a&thenticating domain controller
This propert" is stored locall" on each domain controller that is in the domain) A ,al&e of 5 means
that the last incorrect pass'ord time is &nkno'n) /or an acc&rate ,al&e for the &serAs last
incorrect pass'ord time in the domain, "o& m&st -&er" each domain controller that is in the
domain+ the largest one is the acc&rate ,al&e) /or more information, see the 0Locko&t#tat&s)e1e0
section in this doc&ment)
Note The /adPasswordTi!e registr" ,al&e is not replicated bet'een domain
controllers) This attrib&te, ho'e,er, is reported to the PDC operations master)
/adPwd'ount
The /adPwd'ount ,al&e stores the n&mber of times that the &ser, comp&ter, or ser,ice acco&nt
tried to log on to the acco&nt b" &sing an incorrect pass'ord) This ,al&e is maintained separatel"
on each domain controller in the domain, e1cept for the PDC operations master of the acco&nts
domain that maintains the total n&mber of incorrect pass'ord attempts) A ,al&e of 5 indicates that
the ,al&e is &nkno'n) /or an acc&rate total of the &serAs incorrect pass'ord attempts in the
domain, "o& m&st -&er" each domain controller and &se the s&m of the ,al&es) /or more
information, see the 0Locko&t#tat&s)e1e0 section in this doc&ment)
Note The /adPwd'ount registr" ,al&e is not replicated bet'een domain controllers)
This registr" ,al&e, ho'e,er, is reported to the PDC operations master)
ntPwd+istor"
The ntPwd+istor" registr" ,al&e contains the pass'ord histor" for the &ser in Windo's FT
#er,er =)5 one2'a" f&nction C%W/E) !oth Windo's 7555 and the Windo's #er,er 7558 famil"
&se the Windo's FT #er,er =)5 %W/) This propert" is &sed b" onl" the operating s"stem) Fote
that "o& cannot obtain the pass'ord from the pass'ord in %W/ form)
7ther Settin$s That Affect Account &oc#out
This section describes another setting that affect acco&nt locko&t beha,ior) While the setting is
foc&sed on a&thentication, it is closel" tied 'ith acco&nt locko&t polic")
Oo& can set the a&thentication settings in the Acti,e Director" *sers and Comp&ters MMC b"
&sing the proced&re in this section)
1. Click Start, click Settin$s, click 'ontrol Panel, do&ble2click Ad!inistrative Tools, and then
do&ble2click Active ,irector" )sers and 'o!(uters)
2. Bn the console tree, right2click the domain on 'hich "o& 'ant to set a Kro&p Polic" ob.ect)
3. Click Pro(erties, and then click the <rou( Polic" tab)
4. Bn <rou( Polic" 7/4ect &in#s, click ,efault ,o!ain Polic" or create and name "o&r Kro&p
Polic" ob.ect, and then click =dit)
5. Bn the console tree, do&ble2click 'o!(uter 'onfi$uration, do&ble2click Windows Settin$s,
do&ble2click Securit" Settin$s, do&ble2click &ocal Policies, and then click Securit"
7(tions)
8. Click the options that "o& 'ant, and then click 7:)
orce)nloc#&o$on
The orce)nloc#&o$on setting Calso kno'n as VBnteracti,e logon6 Re-&ire Domain Controller
a&thentication to &nlock 'orkstationW controls the beha,ior of a comp&ter r&nning Windo's 7555,
Windo's HP or the Windo's #er,er 7558 famil" 'hen the comp&ter is &nlocked b" a &ser)
With a ,al&e of 9 Cor =na/led, in Kro&p Polic"E, &nlocking the comp&ter also performs a
s"nchrono&s logon to the domain to ,erif" &ser a&thenticit") This option is slo'er than
allo'ing cached a&thentication beca&se it re-&ires net'ork2based a&thentication)
With a ,al&e of 5 Cor ,isa/led, in Kro&p Polic"E, cached information is &sed to ,erif" the
&serIs identit") When the ,erification is s&ccessf&l, the &ser is logged on) Windo's then
performs an as"nchrono&s logon to the domain in the backgro&nd) This means that the &ser
can still &nlock a comp&ter 'hen the acco&nt is &nlocked)
Valid ,al&es are 5 and 9, 'ith a defa&lt ,al&e of 5)
/or additional information abo&t &nlocking a 'orkstation, see the follo'ing articles6
0Bnformation Abo&t *nlocking a Workstation0 in the Microsoft Gno'ledge !aseL
http6MMs&pport)microsoft)comMNid;7>97@5)
0#creensa,er Pass'ord Works E,en Bf Acco&nt Bs Locked %&t0 in the Microsoft Gno'ledge
!aseLhttp6MMs&pport)microsoft)comMNid;9>>?55)
0e(lication and Account &oc#out
Acco&nt locko&t relies on the replication of locko&t information bet'een domain controllers to
ens&re that all domain controllers are notified of an acco&ntIs stat&s) Bn addition, pass'ord
changes m&st be comm&nicated to all domain controllers to ens&re that a &serIs ne' pass'ord is
not considered incorrect) This data replication is accomplished b" the ,ario&s replication feat&res
of Acti,e Director" and is also disc&ssed in this section)
%!!ediate 0e(lication
When "o& change a pass'ord, it is sent o,er FetlogonAs sec&re channel to the PDC operations
master) #pecificall", the domain controller makes a remote proced&re call CRPCE to the PDC
operations master that incl&des the &ser name and ne' pass'ord information) The PDC
operations master then locall" stores this ,al&e)
Bmmediate replication bet'een Windo's 7555 domain controllers is ca&sed b" the follo'ing
e,ents6
Locko&t of an acco&nt
Modification of a Local #ec&rit" A&thorit" CL#AE secret
#tate changes of the Relati,e BD CRBDE Manager
)r$ent 0e(lication
Acti,e Director" replication occ&rs bet'een domain controllers 'hen director" data is &pdated on
one domain controller and that &pdate is replicated to all other domain controllers) When a
change in director" data occ&rs, the so&rce domain controller sends o&t a notice that its director"
store no' contains &pdated data) The domain controllerAs replication partners then send a
re-&est to the so&rce domain controller to recei,e those &pdates) T"picall", the so&rce domain
controller sends o&t a change notification after a dela") This dela" is go,erned b" a notification
dela") CThe Windo's 7555 defa&lt notification dela" is @ min&tes+ the Windo's #er,er 7558
defa&lt notification dela" is 9@ seconds)E 3o'e,er, an" dela" in replication can res&lt in a sec&rit"
risk for certain t"pes of changes) *rgent replication ens&res that critical director" changes are
immediatel" replicated, incl&ding acco&nt locko&ts, changes in the acco&nt locko&t polic",
changes in the domain pass'ord polic", and changes to the pass'ord on a domain controller
acco&nt) With &rgent replication, an &pdate notification is sent o&t immediatel", regardless of the
notification dela") This design allo's other domain controllers to immediatel" re-&est and recei,e
the critical &pdates) Fote, ho'e,er, that the onl" difference bet'een &rgent replication and t"pical
replication is the lack of a dela" before the transmission of the change notification) Bf this does not
occ&r, &rgent replication is identical to standard replication) When replication partners re-&est
and s&bse-&entl" recei,e the &rgent changes, the" recei,e, in addition, all pending director"
&pdates from the so&rce domain controller, and not onl" the &rgent &pdates)
When either an administrator or a delegated &ser &nlocks an acco&nt, man&all" sets pass'ord
e1piration on a &ser acco&nt b" clicking )ser Must 'han$e Password At Ne*t &o$on, or resets
the pass'ord on an acco&nt, the modified attrib&tes are immediatel" replicated to the PDC
em&lator operations master, and then the" are &rgentl" replicated to other domain controllers that
are in the same site as the PDC em&lator) !" defa&lt, &rgent replication does not occ&r across
site bo&ndaries) !eca&se of this, administrators sho&ld make man&al pass'ord changes and
acco&nt resets on a domain controller that is in that &serAs site)
The follo'ing e,ents are not &rgent replications in Windo's 7555 domains6
Changing the acco&nt locko&t polic"
Changing the domain pass'ord polic"
Changing the pass'ord on a comp&ter acco&nt
Domain tr&st pass'ords
/or additional information abo&t &rgent and immediate replication, see 0*rgent Replication
Triggers in Windo's 75550 in the Microsoft Gno'ledge !ase L
http6MMs&pport)microsoft)comMdefa&lt)asp1Nscid;kb+en2&s+7874<5)
Sin$le )ser 7/4ect 57n ,e!and6 0e(lication
Bn the Windo's 7555 famil", 'hen an administrator resets and immediatel" e1pires a &serAs
pass'ord on a domain controller in site A Cso that the &ser is gi,en a ne' pass'ord b&t forced to
change it 'hen the &ser first logs onE, the logon ma" still s&cceed 'hen the &ser logs on 'ith that
ne' pass'ord in site !) This occ&rs beca&se the domain controller chains to the PDC operations
master d&ring a&thentication) 3o'e,er, the &serIs pass'ord change ma" not replicate correctl"
beca&se domain controllers in site ! do not "et ha,e the reset pass'ord) This occ&rs beca&se
there is replication latenc" bet'een sites)
An &pdate is a,ailable for Windo's 7555 that changes this beha,ior) /or more information to help
change this beha,ior b" implementing an 0on2demand0 replication scheme, see 0Oo& Cannot
Change Oo&r Pass'ord After an Administrator Resets Bt0 on the Microsoft Gno'ledge !aseL
http6MMs&pport)microsoft)comMNid;>97=<<) The &pdated replication scheme allo's the domain
controller to contact the PDC operations master to re-&est an &pdate of the &ser ob.ect that failed
a&thentication beca&se of an incorrect pass'ord) This helps to ens&re that the a&thenticating
domain controller recei,es the most c&rrent &ser acco&nt information as -&ickl" as possible)
Mi*ed =nviron!ents with Windows NT Server 4.0 and Active
,irector" ,o!ain 'ontrollers
Bf ser,ers that are r&nning Windo's FT #er,er =)5 and earlier are in the domain, acco&nt locko&t
is not a dependable sec&rit" feat&re)
/or e1ample, a Windo's FT #er,er =)5, Enterprise Edition, back&p domain controller C!DCE ma"
a&thenticate a &ser, e,en tho&gh the acco&nt is marked as locked o&t on a domain controller that
is r&nning Windo's FT #er,er =)5 and earlier) Also, Windo's FT #er,er =)5, Enterprise Edition,
!DCs cannot &nlock an acco&nt) The ser,er that is r&nning Windo's FT #er,er =)5, Enterprise
Edition, can increment the bad pass'ord co&nt 'hen the &ser logs in 'ith an incorrect pass'ord)
That ser,er can then report the increment to the other domain controller) 3o'e,er, the
Windo's FT #er,er =)5, Enterprise Edition, !DC does not send this information to the domain
controller that is r&nning Windo's FT #er,er =)5 and earlier if the &ser logs on 'ith the correct
pass'ord) !eca&se of this, the bad pass'ord co&nt is not reset after the s&ccessf&l logon
attempt)
The acco&nt locko&t feat&re of Microsoft LAF Manager is not compatible 'ith the acco&nt locko&t
feat&re on comp&ters that are r&nning Windo's FT #er,er =)5 and earlier) The domain controller
that is r&nning Windo's FT #er,er =)5 and earlier does not replicate an" acco&nt locko&t
information to a LAF Manager !DC) Bf the acco&nt is marked as locked o&t on the Windo's FT
#er,er =)5 and earlier domain controller, the LAF Manager !DC ma" still ,alidate the &ser) The
LAF Manager !DC displa"s the acco&nt locko&t polic" as set to 0Fe,er,0 e,en in a domain
r&nning Windo's FT #er,er =)5 and earlier 'here acco&nt locko&t is enabled)
/or these reasons, "o& sho&ld consider ens&ring that all domain controllers in "o&r net'ork are
r&nning Windo's 7555 or the Windo's #er,er 7558 famil") This is the onl" 'a" to ens&re that
acco&nt locko&t is enforced consistentl" across "o&r net'ork)
Maintainin$ and Monitorin$ Account &oc#out
After "o& config&re the acco&nt locko&t options that "o& 'ant, set &p the comp&ters so that "o&
can capt&re more data abo&t the acco&nts that are being locked o&t) This section describes ho'
to enable a&diting, Fetlogon logging, and Gerberos logging, as 'ell as 'hich comp&ters to
retrie,e the logs from) After "o& config&re the logging and capt&re the appropriate data, this
section 'ill sho' "o& ho' to anal"(e the information so that "o& can ens&re acco&nt locko&t
settings are 'orking and identif" attacks)
=na/le Auditin$ at the ,o!ain &evel
The follo'ing sections describe ho' to enable a&diting at the domain le,el for different operating
s"stems)
To effecti,el" tro&bleshoot acco&nt locko&t, enable a&diting at the domain le,el for the follo'ing
e,ents6
Acco&nt Logon E,ents X /ail&re
Acco&nt Management X #&ccess
Logon E,ents X /ail&re
Windows 2000 and Windows Server 2003 ,o!ains
The A&dit Polic" settings are located in the Defa&lt Domain polic" settings) To ,ie' the A&diting
polic" settings, in the Kro&p Polic" MMC, do&ble2click 'o!(uter 'onfi$uration, do&ble2click
Windows Settin$s, do&ble2click Securit" Settin$s, do&ble2click &ocal Policies, and then
do&ble2click Audit Polic") Enable a&diting for the e,ent t"pes listed in the pre,io&s section)
Windows NT Server 4.0 ,o!ain
%pen *ser Manager, click Policies, click Auditin$, enable &o$on and &o$off a&diting for fail&re
e,ents, and then enable *ser and Kro&p Management a&diting for s&ccess e,ents)
Settin$s for =vent &o$s
/or tro&bleshooting p&rposes, change some of the settings for the #ec&rit" e,ent logs6
#et the ma1im&m sec&rit" log si(e to 95,555 G! or more) This helps to ens&re that important
e,ents are not o,er'ritten 'hen the log file becomes large in si(e)
#et the e,ent retention method to 7verwrite events as needed to ens&re that the comp&ter
is not sh&t do'n beca&se there are too man" #ec&rit" e,ent log entries, e,en 'hen the log
file becomes large in si(e)
/or information abo&t ho' to change the si(e and retention method of the #ec&rit" e,ent log , see
the 3elp doc&mentation for the operating s"stem 'ith 'hich "o& are 'orking)
!eca&se the e,ents can occ&r on both the client and the ser,er, "o& can &se the follo'ing tools
to help "o& gather the information in a single location)
*se the E,entCombMT)e1e tool, a m&ltithreaded tool, to gather specific e,ents from e,ent
logs from se,eral different comp&ters to one central location and then search those e,ent
logs for specific data of interest) #ome specific search categories are b&ilt into the tool, s&ch
as acco&nt locko&ts, 'hich is alread" config&red to incl&de e,ents @7<, 4==, 4?@, 4?4, and
4>9) /or more information, see the 3elp file that is incl&ded 'ith the tool)
*se the E,entlog)pl tool to help "o& manage e,ent logs in Windo's 7555) Oo& can &se this
tool to change the properties of e,ent logs, back &p e,ent logs, e1port e,ent lists to te1t file,
clear e,ent logs, and -&er" the properties of the e,ent logs) /or more information, see 03%W
T%6 *se the E,ent Log Management #cript Tool CE,entlog)plE to Manage E,ent Logs in
Windo's 75550 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;89>?48)
Netlo$on &o$$in$
Oo& can &se Fetlogon logging to capt&re Fetlogon and FTLM e,ents) Bt is recommended that "o&
config&re Fetlogon logging in a Windo's 7555 domain that has Windo's 7555 clients)
Oo& m&st config&re Fetlogon logging on the primar" domain controller CPDCE and on an" other
domain controllers that are in,ol,ed in &ser a&thentication) To determine the a&thenticating
domain controller, at a command prompt, t"pe set l or &se the Locko&t#tat&s)e1e tool) /or more
information abo&t the Locko&t#tat&s)e1e tool, see the 0Acco&nt Locko&t Tools0 section in this
doc&ment) /or enterprises that ha,e less then 95 domain controllers, "o& sho&ld enable Fetlogon
logging on all domain controllers for each domain)
=na/lin$ Netlo$on &o$$in$ on 'o!(uters 0unnin$ Windows 2000 Server
To enable Fetlogon logging on comp&ters that are r&nning Windo's 7555 #er,er, at a command
prompt, t"pe nltest ?d/fla$@20A0ffff) The log file is created in SystemrootPDeb&gPFetlogon)log) Bf
the log file is not in that location, stop and restart the Fetlogon ser,ice on that comp&ter) To do
this, at a command prompt, t"pe net sto( netlo$on B net start netlo$on) /or more information,
see 0Enabling Deb&g Logging for the Fetlogon #er,ice0 on the Microsoft Gno'ledge !aseL
http6MMs&pport)microsoft)comMNid;95<474)
Bf free disk space is lo', make s&re there is eno&gh space to allo' the =5 megab"tes CM!E
ma1im&m space for the logging) Oo& sho&ld also consider the disk space that Fetlogon logging
&ses) When Fetlogon)log reaches 75 M! in si(e, it is renamed to Fetlogon)bak and a ne'
Fetlogon)log is created 'ith the latest Fetlogon data) After that Fetlogon)log reaches 75 M! in
si(e, Fetlogon)bak is tr&ncated, and the c&rrent Fetlogon)log file is renamed to Fetlogon)bak)
!eca&se of this process, the total disk space that is &sed b" Fetlogon logging is ne,er more than
=5 M!)
Note Performance ma" be slightl" degraded b" the logging process) Therefore, "o&
sho&ld disable Fetlogon logging after "o& ha,e capt&red the e,ents that "o& 'ant in the
log file) To disable Fetlogon logging, at a command prompt, t"pe nltest ?d/fla$@0, press
EFTER, t"pe net start netlo$on and then press EFTER)
:er/eros &o$$in$
Bf acco&nt locko&ts in,ol,e Gerberos clients that are r&nning a member of the Windo's 7555
famil" or later, "o& can enable Gerberos logging on those client comp&ters) Oo& 'o&ld t"picall"
perform this step after "o& ha,e determined that there is an a&thentication iss&e that is related to
Gerberos)
To enable Gerberos e,ent logging on a comp&ter6
1. Click Start, click 0un, t"pe re$edit, and then press EFTER)
2. Add the
+:=;C&7'A&CMA'+%N=DS;ST=MD'urrent'ontrolSetD'ontrolD&saD:er/erosDPara!eter
s registr" ,al&e to the registr" ke"6
0e$istr" value@ &o$&evel
-alue t"(e@ 0=<C,W70,
-alue data@ 0*.
Bf the Para!eters registr" ke" does not e1ist, create it)
3. Close Registr" Editor and restart the comp&ter)
'aution Bncorrectl" editing the registr" ma" se,erel" damage "o&r s"stem) !efore
making changes to the registr", "o& sho&ld back &p an" ,al&ed data on the comp&ter)
Note Performance ma" be degraded b" the logging process) Therefore, "o& sho&ld
disable the logging process after "o& capt&re the e,ents that "o& 'ant in the log file) To
disable logging, remo,e the &o$&evel registr" ,al&e, and then restart the comp&ter)
Oo& can a&tomate this process b" &sing the script that is in the 0Acco&nt Locko&t Tools0 section
in this doc&ment) This script sets the Gerberos logging ke" in the registr" on client comp&ters that
are r&nning Windo's 7555) Bf "o& 'ant to enable logging for gro&ps of comp&ters, "o& can
specif" this script as a start&p script in an Acti,e Director" gro&p polic")
To disable Gerberos e,ent logging on a comp&ter6
1. Click Start, click 0un, t"pe re$edit, and then press EFTER)
2. Delete the
+:=;C&7'A&CMA'+%N=DS;ST=MD'urrent'ontrolSetD'ontrolD&saD:er/erosDPara!eter
sD&o$&evel registr" ,al&e)
3. Close Registr" Editor and restart the comp&ter)
'aution Bncorrectl" editing the registr" ma" se,erel" damage "o&r s"stem) !efore
making changes to the registr", "o& sho&ld back &p an" ,al&ed data on the comp&ter)
/or more information, see the 03%W T%6 Enable Gerberos E,ent Logging0 in the Microsoft
Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7479??)
=vent and Netlo$on &o$ 0etrieval
After "o& set the a&diting and logging, 'ait &ntil acco&nt locko&ts occ&r) When the acco&nt
locko&t occ&rs, retrie,e both the #ec&rit" e,ent log and the #"stem e,ent log, as 'ell as the
Fetlogon logs for all of the comp&ters that are in,ol,ed 'ith the clientAs locko&t) This incl&des the
PDC em&lator operations master, the a&thenticating domain controller, and all of the client
comp&ters that ha,e &ser sessions for the locked2o&t &ser)
To determine the domain controllers that are in,ol,ed 'ith the locko&t, r&n the Locko&t#tat&s)e1e
tool and specif" the &ser acco&nt that is locked o&t) This tool gathers and displa"s information
abo&t the specified &ser acco&nt from all the domain controllers in the domain) Bn addition, the
tool displa"s the &serAs /adPwd'ount ,al&e on each domain controller) The domain controllers
that ha,e a /adPwd'ount ,al&e that reflects the bad pass'ord threshold setting for the domain
are the domain controllers that are in,ol,ed in the locko&t) These domain controllers al'a"s
incl&de the PDC em&lator operations master)
The /adPwd'ount ,al&e ma" appear to be higher than the threshold beca&se of the 'a" that
pass'ords are chained to the PDC em&lator operations master) When a bad pass'ord is
presented b" a &ser or program, both the a&thenticating domain controller and the PDC em&lator
operations master increment their /adPwd'ount ,al&e for that acco&nt) When Acti,e Director"
replication occ&rs, this can res&lt in an increased ,al&e) 3o'e,er, the end res&ltYthe acco&nt
becoming locked o&tYremains the same)
Oo& can also &se the E,entCombMT)e1e tool to gather specific e,ent log data from m&ltiple
comp&ters to one central location) /or more information abo&t both the E,entCombMT)e1e and
Locko&t#tat&s)e1e tools, see the 0Acco&nt Locko&t Tools0 section in this doc&ment)
Anal"8in$ &o$ ile %nfor!ation
The pre,io&s section described the processes that "o& can &se to enable log files to record
information that is locko&t2specific on "o&r comp&ters) This section foc&ses on anal"(ing those
log files and determining 'hat beha,ior occ&rred that created the log files and ca&sed the iss&e
that "o& are tr"ing to resol,e) This section also describes ho' to resol,e the iss&es that "o& find
'hen "o& anal"(e the log files)
Anal"8in$ Netlo$on &o$ iles
!efore "o& start to anal"(e the Fetlogon log files, "o& sho&ld be familiar 'ith the a&thentication
process 'orks from pre,io&s sections in this paper) Altho&gh this section describes an FTLM
a&thentication process, a similar chain of e,ents occ&rs d&ring Gerberos a&thentication)
The follo'ing sample scenario disc&sses 'hat occ&rs 'hen a &ser 'ho is on a client comp&ter
tries to gain accesses to a reso&rce that is on a file ser,er in the same domain as the &ser
acco&nt) Bn this process6
1. *ser credentials are passed to the file ser,er) This is displa"ed in the VFet'ork LogonW
section in the Fetlogon)log file)
2. The file ser,er tries to a&thenticate the &ser, b&t the file ser,er has to for'ard the credentials
to the a&thenticating domain controller for ,alidation beca&se this acco&nt is a domain &ser
acco&nt) This beha,ior is displa"ed as VTransiti,e Fet'ork logonW in the Fetlogon)log file and
is commonl" referred to as pass2thro&gh a&thentication)
3. Bf the pass'ord is incorrect or if it is not the same as the pass'ord that is stored b" the
a&thenticating domain controller, the a&thenticating domain controller chains the credentials
to the PDC for ,alidation) This is displa"ed as VTransiti,e Fet'ork LogonW in the Fetlogon)log
file)
Netlo$on &o$ ile Wal#throu$h
The follo'ing sections pro,ide a sample Fetlogon)log file o&tp&t from the follo'ing three
comp&ters6
The PDC operations master for the domain6 DC557
The a&thenticating domain controller6 DC558
The member ser,er6 MEM#ERVER59
The sample o&tp&t sections sho' the follo'ing participants in,ol,ed in net'ork a&thentication6
Domain name6 Tailspinto"s
Logon &ser name6 *ser9
Logon comp&ter name6 Comp&ter2554
Transitive Networ# &o$on 1Pass2Throu$h Authentication3
#ample from the DC557 PDC em&lator Fetlogon log file6
29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter-00" #via
$C003% 0&C00000"'
$C003% 0&C00000"'
$C003% 0&C00000"'
$C003% 0&C00000"'
$C003% 0&C00000"'
$C003% 0&C0000234
#ample from the DC558 a&thentication domain controller Fetlogon log file6
M(M)(*+(*01% 0&C00000"'
M(M)(*+(*01% 0&C00000"'
M(M)(*+(*01% 0&C00000"'
M(M)(*+(*01% 0&C00000"'
M(M)(*+(*01% 0&C00000"'
M(M)(*+(*01% 0&C0000234
#ample from the MEM#ERVER59 member ser,er Fetlogon log file6
29-Mar 14:28:31 Network logon Tailspintoys\User1 Cop!ter-00" 0&C00000"'
29-Mar 14:28:32 Network logon Tailspintoys\User1 Cop!ter-00" 0&C0000234
These Fetlogon)log file samples pro,ide an e1ample of the information contained in the Fetlogon
logs) This information is &sed to trace the acco&nt locko&t from the domain controller back to the
member ser,er on 'hich a &ser or application tried to gain access 'ith the incorrect credentials)
Ste((in$ Throu$h the Netlo$on &o$ ile Sa!(le
This section describes the standard anal"sis process of log files 'hen attempting to determine
the ca&se of an acco&nt locko&t iss&e)
Bn most tro&bleshooting scenarios, "o& sho&ld begin "o&r log file anal"sis b" e1amining the
Fetlogon)log file on the PDC operations master) !eca&se this is a transiti,e net'ork logon, "o&
can find the a&thenticating domain controller b" ,ie'ing the 0Via0 line in the Fetlogon)log file for
the domain controller that is chaining logon to the PDC operations master)
Sa!(le fro! the P,' =!ulator 1,'0023 Netlo$on &o$ ile
%n the 0Via0 line from the PDCIs Fetlogon)log file in the follo'ing e1ample, note that the
a&thentication is being chained from DC558)
29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter00" #via
$C003% 0&C00000"'
This is an ill&stration of step 8 of the a&thentication process that 'as detailed in 0Anal"(ing
Fetlogon Log /iles0 pre,io&sl" in this doc&ment)
Sa!(le fro! the Authentication ,o!ain 'ontroller 1,'0033 Netlo$on &o$ ile
Bn the Fetlogon log file on DC558, this a&thentication is still a transiti,e net'ork logon, beca&se
credentials 'ere sent to DC558 for ,erification) !eca&se of this, note 'here the credentials are
sent from) Bn this e1ample, the credentials are being sent V,ia MEM#ERVER5906
29-Mar 14:28:30 Transitive Network logon Tailspintoys\User1 Cop!ter00" #via
M(M)(*+(*01% 0&C00000"'
The file ser,er tries to a&thenticate the &ser, b&t the file ser,er has to for'ard the credentials to
the a&thenticating domain controller for ,alidation beca&se this is a domain &ser acco&nt) This is
displa"ed as VTransiti,e Fet'ork logonW in the /ile#er,ername section of the Fetlogon)log file)
Sa!(le fro! the Me!/er Server 1M=MS=0-=00.3 Netlo$on &o$ ile
/rom the Fetlogon)log file on MEM#ERVER59 from the same time period, ,erif" the act&al client
comp&ter name 'here the original logon or session set&p re-&est came from) Bn this e1ample,
the re-&est came from Comp&ter25546
29-Mar 14:28:31 Network logon Tailspintoys\User1 Cop!ter-00"
0&C00000"'
*ser credentials are passed to the file ser,er) This is displa"ed in the VFet'ork LogonW section in
the Fetlogon)log file)
E,en tho&gh the log file does not displa" the e1act process that is sending the incorrect
credentials, Fetlogon log files do pro,ide the follo'ing information to help "o& tro&bleshoot the
locko&t6
Fetlogon o&tp&t displa"s the n&mber of &ns&ccessf&l logon attempts C51C555554AE for a
&serAs acco&nt in a certain time period) Logs in 'hich there are se,eral 51C555554A e,ents
in one second indicate that the locko&t is most likel" ca&sed b" a process, program, or script
that is sending incorrect credentials)
Fetlogon o&tp&t pro,ides a complete pict&re of all comp&ters that are in,ol,ed in the acco&nt
locko&t) Oo& can narro' do'n the c&lprit b" determining the common elements, s&ch as
programs, among the comp&ters in,ol,ed) /or e1ample, from the Fetlogon o&tp&t abo,e,
after "o& determined that MEM#ERVER59 'as common to all &ser locko&ts, the
tro&bleshooting foc&s changed to the partic&lar net'ork ser,ices or &ser acco&nts that are
&sed b" MEM#ERVER59)
Bn this e1ample, MEM#ERVER59 is the Microsoft E1change ser,er) After "o& e1amine the
Microsoft %&tlook client and E1change ser,er settings, "o& ma" 'ant to &se the information
that is in the follo'ing t'o articles to help resol,e the iss&e) These articles describe ho' to
remo,e &nnecessar" RPC bindings from the E1change ser,er) /or e1ample, remo,e Famed
Pipe s&pport if there is no client that re-&ires the named pipes)
0%&tlook Locks Oo&r Acco&nt !eca&se of a Director" #er,ice Referral 'ith E1change
7555 #er,er0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7<9@<>)
0*ne1pected Acco&nt Locko&ts Ca&sed When Logging %n to %&tlook from an *ntr&sted
Domain0 in the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7?4@=9)
Bf the Fetlogon logs from all domain controllers from the time of locko&t b&t do not displa"
data that pertains to an" of the locked2o&t &ser acco&nts that "o& are anal"(ing, then FTLM
a&thentication is not in,ol,ed in the locko&ts) This normall" indicates that the a&thentication
iss&es are bet'een comp&ters r&nning Windo's 7555 or later, beca&se earlier ,ersions of
Windo's &sed FTLM a&thentication e1cl&si,el") Oo& sho&ld foc&s on Gerberos
a&thentication tro&bleshooting b" &sing Gerberos logging and e1amining the #ec&rit" e,ent
logs)
Netlo$on &o$ ile =rror 'odes
Each e,ent in the Fetlogon log contains a corresponding error code) The follo'ing table
describes these error codes)
Ta/le 3 Netlo$on &o$ =rror 'odes
&o$ 'ode ,escri(tion
515 #&ccessf&l login
51C555554= The specified &ser does not e1ist
51C555554A The ,al&e pro,ided as the c&rrent pass'ord is not correct
51C555554C Pass'ord polic" not met
51C555554D The attempted logon is in,alid d&e to a bad &ser name
51C555554E *ser acco&nt restriction has pre,ented s&ccessf&l login
51C555554/ The &ser acco&nt has time restrictions and ma" not be logged onto at this time
51C55555?5 The &ser is restricted and ma" not log on from the so&rce 'orkstation
51C55555?9 The &ser acco&ntAs pass'ord has e1pired
51C55555?7 The &ser acco&nt is c&rrentl" disabled
51C55555<A Bns&fficient s"stem reso&rces
51C55559<8 The &serAs acco&nt has e1pired
51C555577= *ser m&st change his pass'ord before he logs on the first time
51C555578= The &ser acco&nt has been a&tomaticall" locked
Note Man" of these codes pro,ide information in the log file that is red&ndant 'ith the
corresponding Fetlogon e,ent log) This allo's "o& to anal"(e the e,ents in a ,ariet" of
'a"s)
re9uentl" As#ed Euestions
This section ans'ers common -&estions that might be helpf&l in tro&bleshooting the Acco&nt
Locko&t feat&re in the Windo's #er,er 7558 famil")
Do the logon attempts happen seconds apart or are there man" in,alid logon attempt e,ents
Cerror code 51C555554AE in the same secondN
The pattern sho's 'hether this is a &ser error or a process or program that is creating the
locko&t) *sers take se,eral seconds bet'een e,ents, ho'e,er, a process or program
t"picall" register man" in,alid or &ns&ccessf&l logon attempt e,ents in one second)
Note Oo& can &se the FLParse)e1e tool to parse Fetlogon logs for specific e,ents that
are related to acco&nt locko&t, s&ch as e,ents 51C555554A and 51C555578=) The
parsed data is sent to a )cs, file that "o& can read b" &sing a program like Microsoft
E1cel) /or more information abo&t FLParse, see the 0Acco&nt Locko&t Tools0 section in
this doc&ment)
/rom 'hich comp&ters are the in,alid logon attempt e,ents generatedN
When "o& re,ie' the Fetlogon logs and e,ent logs, "o& can isolate from 'hich comp&ter the
&ser 'as logged on d&ring the acco&nt locko&ts) Bn man" sit&ations, "o& 'ill disco,er that a
&ser is logged onto m&ltiple comp&ters+ after the &ser changes their pass'ord on one
comp&ter, the &ser acco&nt is locked o&t)
What client comp&ters are displa"ed in the Fetlogon log filesN
Bf onl" Windo's <> or Windo's <@ clients are locked o&t, "o& ma" need to install the
director" ser,ice client for those clients) /or e1ample, belo', the Comp&ter2554 comp&ter
generates the in,alid logon attempt e,ent6
29-Mar 14:28:30 Transitive Network logon ',e\User1 Cop!ter-00" #via $C003%
0&C00000"'
Which &ser acco&nts are associated 'ith the in,alid logon attempt e,entsN
Bf pri,ileged acco&nts Cs&ch as the administrator, ser,ice acco&nts, and 'ell2kno'n
application acco&nt namesE are recei,ing a large n&mber of incorrect pass'ord attempts, first
re,ie' the information for the comp&ters that ha,e made the attempts 'ith the incorrect
pass'ords, and then determine if there is a 'rong pass'ord for the acco&nt) After "o& do
this, if the pass'ords on all of the acco&nts are reset and incorrect pass'ord attempts
persist, perform a trace to determine if the comp&ter is &nder an attack) Oo& can place an
e,ent trigger to stop the trace and determine 'here the attempt ma" be coming from) Bnternal
or e1ternal comp&ters can be a threat if there are 'orm ,ir&ses or compromises) The
follo'ing e1ample sho's that the 51C555554A error code is generated from the
Tailspinto"sP*ser9 &ser6
$C003% 0&C00000"'
Bs there an ob,io&s pattern to the in,alid logon attempt e,ents and acco&nt locko&tsN
Pattern6 All &sers on the domain are locked o&t, incl&ding &sers 'ho did not change their
pass'ord) There are man" &ns&ccessf&l a&thentication attempts per second)
Possi/le Solution@ Bf "o& determine that the log files sho' that most or all of the &ser
acco&nts are locked o&t in "o&r domain, "o& m&st perform a trace to determine 'hether the
so&rce of the attack is internal or e1ternal to "o&r net'ork) Bf the attack appears to come from
a internal comp&ter, e1amine the processes r&nning on these comp&ters as this likel"
indicates a common process that &ses o&tdated or incorrect credentials) Attacks from o&tside
"o&r net'ork often indicate denial of ser,ice or br&te force attacks against "o&r &ser
acco&nts)
Pattern6 Alphabetical list of &sers in the log files)
Possi/le Solution@ Bf the log files sho' that all of the &ser acco&nts are locked o&t in a list
that is almost alphabetical, it is most likel" that this beha,ior is ca&sed b" an attempt to break
pass'ords or a denial of ser,ice attack) Oo& m&st perform a net'ork trace to the so&rce of
the attack)
Pattern6 A specific n&mber of logon attempts are made on each locked2o&t acco&nt)
Possi/le Solution@ Bf "o& determine that the log files displa" a specific n&mber of logon
attempts for a each &ser, add the n&mber of occ&rrences of 51C555554A and 51C555578=
errors for the &ser) Bn some scenarios, "o& ma" see a pattern of a specific n&mber of
attempts for one &ser, and then the same n&mber of attempts for another &ser, and so on)
This beha,ior ma" be an attack on the net'ork or a program co&ld be sending a specific set
of attempts) 94 or 9? attempts per &ser is a common fig&re for these t"pes of attacks)
Bn most acco&nt locko&t sit&ations, "o& m&st &se Fetlogon log files to determine 'hich comp&ters
are sending bad credentials) When "o& anal"(e Fetlogon log files, look for the 51C555554A
e,ent code, beca&se this e,ent 'ill help "o& determine 'here the bad pass'ord attempts began
to occ&r) When "o& see the 51C555554A e,ent code and it is follo'ed b" a 51C555578= e,ent
code, the e,ent codes that come after these e,ent codes help "o& determine 'hat ca&sed the
acco&nt locko&t) Bf "o& see patterns in the log files, the patterns can help "o& determine if the
e,ent code 'as logged beca&se of either a program attack or &ser error)
Anal"8in$ =vent &o$s
Oo& cannot determine the a&thentication t"pe that 'as &sed 'hen an acco&nt is locked o&t
&nless "o& enable Fetlogon logging before the acco&nt locko&t) 3o'e,er, beca&se of differences
in a&thentication, there ma" be sit&ations in 'hich Fetlogon logging does not capt&re the data
that "o& need to determine 'hich comp&ters 'ere in,ol,ed in an acco&nt locko&t) Config&ring the
appropriate comp&ters to create e,ent logs ma" pro,ide additional information in these sit&ations)
!efore the problems occ&r, "o& sho&ld enable sec&rit" a&diting and Gerberos logging on all
comp&ters that might be in,ol,ed in the acco&nt locko&t e,ent) Enabling a&diting and Fetlogon
log files is disc&ssed else'here in this doc&ment) Bf the a&diting is not config&red before the initial
error occ&rs, it can be done after'ards)
%nce the acco&nt locko&t occ&rs, there are se,eral tasks that sho&ld be completed to help
identif" the ca&se of the iss&e6
1. %btain both the #ec&rit" and #"stem e,ent logs from all of the comp&ters that are locked o&t
if those comp&ters 'ere logged on 'hen the locko&t occ&rred) Also, obtain these log files
from the PDC em&lator operations master and all domain controllers that ma" be in,ol,ed in
the acco&nt locko&t)
2. Look for E,ent 4?@ CPrea&thentication /ail&resE in the #ec&rit" e,ent log for the domain
controllers for the locked2o&t &ser acco&nt) This e,ent displa"s the BP address of the client
comp&ter from 'hich the incorrect credentials 'ere sent) When "o& ,ie' these e,ents in the
#ec&rit" e,ent log from the PDC, an BP address 'ith E,ent 4?@ ma" be the BP address of
another domain controller beca&se of pass'ord chaining from other domain controllers) Bf this
is tr&e, obtain the #ec&rit" e,ent log from that domain controller to see the E,ent 4?@) The BP
address that is listed in that E,ent 4?@ sho&ld be the BP address for the client comp&ter that
sent the in,alid credential)
3. After "o& kno' 'hich client comp&ter is sending the in,alid credentials, determine the
ser,ices, programs, and mapped net'ork dri,es on that comp&ter) Bf this information does not
re,eal the so&rce of the acco&nt locko&t, perform net'ork traces from that client comp&ter to
isolate the e1act so&rce of the locko&t)
Note Oo& can &se the E,entCombMT)e1e tool to gather e,ent log dates from different
domain controllers at the same time) /or more information abo&t E,entCombMT)e1e, see
the VAcco&nt Locko&t ToolsW section in this doc&ment)
/or more information, see the follo'ing articles6
0Windo's 7555 #ec&rit" E,ent Descriptions CPart 9 of 7E0 in the Microsoft Gno'ledge !aseL
Chttp6MMs&pport)microsoft)comMNid;7<<=?@)
0Windo's 7555 #ec&rit" E,ent Descriptions CPart 7 of 7E in the Microsoft Gno'ledge !aseL
http6MMs&pport)microsoft)comMNid;8594??)
=*a!(le event lo$ entr"@ incorrect (assword (rocessed /" :er/eros
The follo'ing e1ample displa"s a sample E,ent 4?@ in the #ec&rit" e,ent log from the PDC
em&lator operations master6
(vent Type: -ail!re '!.it
(vent )o!r,e: )e,!rity
(vent Category: ',,o!nt /ogon
(vent 0$: "12
$ate: 123232001
Tie: 2:41:2" 4M
User: NT 'UT56*0T7\)7)T(M
Cop!ter: C6M4UT(*-00"
$es,ription:
4re-a!t8enti,ation 9aile.:
User Nae: !ser1
User 0$: :;)-1-2-21-4232101219-112990"422-1"398432-1114<
)ervi,e Nae: kr=tgt3Tailspintoys>,o
4re-'!t8enti,ation Type: 0&2
-ail!re Co.e: 0&18
Client '..ress: 112>1">1>82
Bn this e1ample, fail&re code 519> is listed beca&se an incorrect &ser name or pass'ord 'as
&sed) The client address of 9?7)94)9)>@ identifies the net'ork client that ca&sed this fail&re) The
&ser name 0&ser90 is also incl&ded in this e,ent) The client address and &ser name sho&ld
pro,ide eno&gh information for "o& to begin to address the iss&e, beca&se "o& kno' 'hich &ser
is attempting to logon from 'hich comp&ter)
=*a!(le event lo$ entr"@ Account is loc#ed out
The follo'ing e1ample displa"s a sample of E,ent 4==, 'hich indicates that the acco&nt is locked
o&t6
(vent Type: )!,,ess '!.it
(vent Category: ',,o!nt Manageent
(vent 0$: "44
$ate: 123232001
Tie: 2:41:2" 4M
User: (veryone
$es,ription:
User ',,o!nt /o,ke. 6!t:
Target ',,o!nt Nae: !ser1
Target ',,o!nt 0$::;)-1-2-21-4232101219-112990"422-1"398432-1114<
Caller Ma,8ine Nae:C6M4UT(*-00"
Caller User Nae:U)(*1?
Caller $oain:T'0/)40NT67)
Caller /ogon 0$:#0&0@0&3(1%
/or more information on acco&nt locko&t e,ents, see 0A&dit Acco&nt Locko&t0 on the Microsoft
TechFet Web siteL
http6MM''')microsoft)comMtechnetMprodtechnolM'indo'sser,er7558MproddocsMstandardM@94)asp)
=*a!(le event lo$ entr"@ &o$on failure
The follo'ing e1ample displa"s a sample of E,ent @7<, 'hich res&lts from an &ns&ccessf&l logon
attempt d&e to an in,alid &ser name or pass'ord) This e,ent is often &sef&l in identif"ing the
so&rce of the locko&t6
(vent Category: /ogon3/ogo99
(vent 0$: 229
$ate: 1232132001
Tie: 2:02:20 4M
$es,ription:
/ogon -ail!re:
*eason: Unknown !ser nae or =a. passwor.
User Nae: !ser1
$oain: Tailspintoys
/ogon Type: 2
/ogon 4ro,ess: User32
'!t8enti,ation 4a,kage: Negotiate
Aorkstation Nae: C6M4UT(*-00"
This e,ent contains se,eral &sef&l elements) Bt identifies the name of the comp&ter that is
attempting a&thentication, as 'ell as the &ser and domain name) Bt also displa"s the logon t"pe,
'hich is disc&ssed later in this section)
When E,ent @7< is logged, "o& sho&ld look for patterns in the e,ent) Determine if there are
se,eral @7< e,ents logged and determine if the" all occ&r in one second or if the" occ&r at
specific time inter,als) Bf so, there is a process or ser,ice that is r&nning on the comp&ter that is
sending incorrect credentials) Look at the VLogon ProcessW and VLogon T"peW entries in the log to
determine the t"pe of process that is passing incorrect credentials and to determine ho' the
process is logging on)
=*a!(le event lo$ entr"@ Account %s ,isa/led
When there is an attempt to logon &sing a disabled acco&nt, a specific e,ent is created in the
e,ent log) This can help "o& -&ickl" identif" intr&ders, beca&se normal operations sho&ld not
allo' for the &se of locked o&t acco&nts) Oo& sho&ld anal"(e and respond -&ickl" to these
e,ents)
(vent Category: /ogon3/ogo99
(vent 0$: 231
$ate: 1232132001
Tie: 2:02:21 4M
$es,ription:
/ogon -ail!re:
*eason: ',,o!nt ,!rrently .isa=le.
User Nae: !ser1
$oain: T'0/)40NT67)
/ogon Type: 2
/ogon 4ro,ess: User32
'!t8enti,ation 4a,kage: Negotiate
:er/eros =vents &o$$ed ,urin$ an Account &oc#out
%nce Gerberos logging is enabled, certain e,ents 'ill be logged 'hen an acco&nt locko&t occ&rs)
These e,ents are described in this section)
%ncorrect Password
This e,ent is logged 'hen an incorrect pass'ord is recei,ed b" Gerberos as part of an
a&thentication re-&est)
(vent Type: (rror
(vent )o!r,e: Ber=eros
(vent Category: None
(vent 0$: 4
$ate: 1232132001
Tie: 2:02:02 4M
User: N3'
$es,ription:
T8e 9!n,tion /ogonUser re,eive. a Ber=eros (rror Message:
on logon session T'0/)40NT67)\!ser1
Client Tie:
)erver Tie: 19:2:2>0000 1232132001 #n!ll%
(rror Co.e: 0&18 B$CC(**C4*('UT5C-'0/($
Client *eal:
Client Nae:
)erver *eal: T'0/)40NT67)>C6M
)erver Nae: kr=tgt3T'0/)40NT67)>C6M
Target Nae: kr=tgt3T'0/)40NT67)DT'0/)40NT67)
(rror Te&t:
-ile:
/ine: (rror $ata is in re,or. .ata>
:er/eros =vent When a )ser Account %s &oc#ed 7ut
This e,ent is logged 'hen Gerberos is &sed for a&thentication and an acco&nt locko&t occ&rs)
(vent Type: (rror
(vent )o!r,e: Ber=eros
(vent Category: None
(vent 0$: 4
$ate: 1232132001
Tie: 2:02:21 4M
User: N3'
$es,ription:
T8e 9!n,tion /ogonUser re,eive. a Ber=eros (rror Message:
on logon session T'0/)40NT67)\!ser1
Client Tie:
)erver Tie: 19:2:21>0000 1232132001 #n!ll%
(rror Co.e: 0&12 B$CC(**CC/0(NTC*(+6B($
Client *eal:
Client Nae:
)erver *eal: T'0/)40NT67)>C6M
)erver Nae: kr=tgt3T'0/)40NT67)>C6M
Target Nae: kr=tgt3T'0/)40NT67)DT'0/)40NT67)
(rror Te&t:
-ile:
/ine: (rror $ata is in re,or. .ata
&o$on =vents
Man" different e,ents can be created b" ,ario&s logon and logoff actions) The follo'ing table
describes each logon e,ent)
Ta/le 4 &o$on =vent %,s
=vent %, ,escri(tion
@7>
A &ser s&ccessf&ll" logged on to a comp&ter) /or information abo&t the t"pe of logon, see the
Logon T"pes table belo')
@7<
Logon fail&re) A logon attempt 'as made 'ith an &nkno'n &ser name or a kno'n &ser name
'ith a bad pass'ord)
@85
Logon fail&re) A logon attempt 'as made, b&t the &ser acco&nt tried to log on o&tside of the
allo'ed time)
@89 Logon fail&re) A logon attempt 'as made &sing a disabled acco&nt)
@87 Logon fail&re) A logon attempt 'as made &sing an e1pired acco&nt)
@88
Logon fail&re) A logon attempt 'as made b" a &ser 'ho is not allo'ed to log on at this
comp&ter)
@8= Logon fail&re) The &ser attempted to log on 'ith a t"pe that is not allo'ed)
@8@ Logon fail&re) The pass'ord for the specified acco&nt has e1pired)
@84 Logon fail&re) The Fetlogon ser,ice is not acti,e)
@8?
Logon fail&re) The logon attempt failed for other reasons)
Note@ Bn some cases, the reason for the logon fail&re ma" not be kno'n)
@8> The logoff process 'as completed for a &ser)
@8< Logon fail&re) The acco&nt 'as locked o&t at the time the logon attempt 'as made)
@=5 A &ser s&ccessf&ll" logged on to a net'ork)
@=9
Main mode Bnternet Ge" E1change CBGEE a&thentication 'as completed bet'een the local
comp&ter and the listed peer identit" Cestablishing a sec&rit" associationE, or -&ick mode has
established a data channel)
@=7 A data channel 'as terminated)
@=8
Main mode 'as terminated)
Note@ This might occ&r as a res&lt of the time limit on the sec&rit" association e1piring, polic"
changes, or peer termination) CThe defa&lt e1piration time for sec&rit" associations is eight
ho&rs)E
@==
Main mode a&thentication failed beca&se the peer did not pro,ide a ,alid certificate or the
signat&re 'as not ,alidated)
@=@ Main mode a&thentication failed beca&se of a Gerberos fail&re or a pass'ord that is not ,alid)
@=4
BGE sec&rit" association establishment failed beca&se the peer sent a proposal that is not
,alid) A packet 'as recei,ed that contained data that is not ,alid)
@=? A fail&re occ&rred d&ring an BGE handshake)
@=>
Logon fail&re) The sec&rit" identifier C#BDE from a tr&sted domain does not match the acco&nt
domain #BD of the client)
@=<
Logon fail&re) All #BDs that correspond to &ntr&sted namespaces 'ere filtered o&t d&ring an
a&thentication across forests)
@@5 A denial2of2ser,ice attack ma" ha,e taken place)
@@9 A &ser initiated the logoff process)
@@7
A &ser s&ccessf&ll" logged on to a comp&ter &sing e1plicit credentials 'hile alread" logged on
as a different &ser)
4?7 An a&thentication ser,ice CA#E ticket 'as s&ccessf&ll" iss&ed and ,alidated)
4?8 A ticket2granting ser,ice CTK#E ticket 'as granted)
4?= A sec&rit" principal rene'ed an A# ticket or TK# ticket)
4?@
Prea&thentication failed) This e,ent is generated on a Ge" Distrib&tion Center CGDCE 'hen a
&ser t"pes in an incorrect pass'ord)
4?4
A&thentication ticket re-&est failed) This e,ent is not generated in Windo's HP or in the
Windo's #er,er 7558 famil")
4??
A TK# ticket 'as not granted) This e,ent is not generated in Windo's HP or in the Windo's
#er,er 7558 famil")
4?> An acco&nt 'as s&ccessf&ll" mapped to a domain acco&nt)
4>9
Logon fail&re) A domain acco&nt logon 'as attempted) This e,ent is not generated in
Windo's HP or in the Windo's #er,er 7558 famil")
4>7 A &ser has reconnected to a disconnected terminal ser,er session)
4>8 A &ser disconnected a terminal ser,er session 'itho&t logging off)
Note@ This e,ent is generated 'hen a &ser is connected to a terminal ser,er session o,er the
net'ork) Bt appears on the terminal ser,er)
Netlo$on &o$on T"(es
When man" Fetlogon logon e,ents are logged, a logon t"pe is also listed in the e,ent details) The
follo'ing table describes each logon t"pe)
Ta/le F Netlo$on &o$on T"(es
&o$on t"(e &o$on title ,escri(tion
7 Bnteracti,e A &ser logged on to this comp&ter)
8 Fet'ork A &ser or comp&ter logged on to this comp&ter from the net'ork)
= !atch
The batch logon t"pe is &sed b" batch ser,ers, 'here processes ma" be
e1ec&ting on behalf of a &ser 'itho&t their direct inter,ention)
@ #er,ice A ser,ice 'as started b" the #er,ice Control Manager)
? *nlock This 'orkstation 'as &nlocked)
> Fet'orkClearte1t
A &ser logged on to this comp&ter from the net'ork) The &serAs pass'ord
'as passed to the a&thentication package in its &nhashed form) The b&ilt2
in a&thentication packages all hash credentials before sending them
across the net'ork) The credentials do not tra,erse the net'ork in
plainte1t Calso called clearte1tE)
< Fe'Credentials
A caller cloned its c&rrent token and specified ne' credentials for
o&tbo&nd connections) The ne' logon session has the same local identit",
b&t &ses different credentials for other net'ork connections)
95 RemoteBnteracti,e
A &ser logged on to this comp&ter remotel" &sing Terminal #er,ices or
Remote Desktop)
99 CachedBnteracti,e
A &ser logged on to this comp&ter 'ith net'ork credentials that 'ere
stored locall" on the comp&ter) The domain controller 'as not contacted to
,erif" the credentials)
Trou/leshootin$ Account &oc#out
Bn an en,ironment 'here "o& set the acco&nt locko&t feat&re, "o& ma" notice a large n&mber of
locko&ts that occ&r) To determine if these locko&ts are false locko&ts or a real attack6
1. Verif" that the domain controllers and client comp&ters are &p2to2date 'ith ser,ice packs and
hotfi1es) /or more information, see the 0Recommended #er,ice Packs and 3otfi1es0 section
in this doc&ment)
2. Config&re "o&r comp&ters to capt&re data6
a. Enable a&diting at the domain le,el)
b. Enable Fetlogon logging)
c. Enable Gerberos logging)
/or more information, see the 0Appendi1 T'o6 Kathering Bnformation to Tro&bleshoot
Acco&nt Locko&t Bss&es0 section in this doc&ment)
3. Anal"(e data from the #ec&rit" e,ent log files and the Fetlogon log files to help "o&
determine 'here the locko&ts are occ&rring and 'h")
4. Anal"(e the e,ent logs on the comp&ter that is generating the acco&nt locko&ts to determine
the ca&se)
/or more information, see the VAcco&nt Locko&t ToolsW section in this doc&ment)
The follo'ing section f&rther describes the acco&nt locko&t tro&bleshooting process)
'o!!on 'auses for Account &oc#outs
This section describes some of the common ca&ses for acco&nt locko&ts The common
tro&bleshooting steps and resol&tions for acco&nt locko&ts are also described in this section)
To a,oid false locko&ts, check each comp&ter on 'hich a locko&t occ&rred for the follo'ing
beha,iors6
Pro$ra!s6 Man" programs cache credentials or keep acti,e threads that retain the
credentials after a &ser changes their pass'ord)
Service accounts6 #er,ice acco&nt pass'ords are cached b" the ser,ice control manager
on member comp&ters that &se the acco&nt as 'ell as domain controllers) Bf "o& reset the
pass'ord for a ser,ice acco&nt and "o& do not reset the pass'ord in the ser,ice control
manager, acco&nt locko&ts for the ser,ice acco&nt occ&r) This is beca&se the comp&ters that
&se this acco&nt t"picall" retr" logon a&thentication b" &sing the pre,io&s pass'ord) To
determine 'hether this is occ&rring, look for a pattern in the Fetlogon log files and in the
e,ent log files on member comp&ters) Oo& can then config&re the sec&rit" control manager to
&se the ne' pass'ord and a,oid f&t&re acco&nt locko&ts)
>ad Password Threshold is set too low6 This is one of the most common misconfig&ration
iss&es) Man" companies set the !ad Pass'ord Threshold registr" ,al&e to a ,al&e lo'er than
the defa&lt ,al&e of 95) Bf "o& set this ,al&e too lo', false locko&ts occ&r 'hen programs
a&tomaticall" retr" in,alid pass'ords) Microsoft recommends that "o& lea,e this ,al&e at its
defa&lt ,al&e of 95) /or more information, see 0Choosing Acco&nt Locko&t #ettings for Oo&r
Deplo"ment0 in this doc&ment)
)ser lo$$in$ on to !ulti(le co!(uters6 A &ser ma" log onto m&ltiple comp&ters at one
time) Programs that are r&nning on those comp&ters ma" access net'ork reso&rces 'ith the
&ser credentials of that &ser 'ho is c&rrentl" logged on) Bf the &ser changes their pass'ord
on one of the comp&ters, programs that are r&nning on the other comp&ters ma" contin&e to
&se the original pass'ord) !eca&se those programs a&thenticate 'hen the" re-&est access
to net'ork reso&rces, the old pass'ord contin&es to be &sed and the &sers acco&nt becomes
locked o&t) To ens&re that this beha,ior does not occ&r, &sers sho&ld log off of all comp&ters,
change the pass'ord from a single location, and then log off and back on)
Note Comm&ters r&nning Windo's HP or a member of the Windo's #er,er 7558
famil" a&tomaticall" detect 'hen the &serIs pass'ord has changed and prompt the &ser
to lock and &nlock the comp&ter to obtain the c&rrent pass'ord) Fo logon and logoff is
re-&ired for &sers &sing these comp&ters)
Stored user na!es and (asswords retains redundant credentials@ Bf an" of the sa,ed
credentials are the same as the logon credential, "o& sho&ld delete those credentials) The
credentials are red&ndant beca&se Windo's tries the logon credentials 'hen e1plicit
credentials are not fo&nd) To delete logon credentials, &se the #tored *ser Fames and
Pass'ords tool) /or more information on #tored *ser Fames and Pass'ords, see online
help in Windo's HP and the Windo's #er,er 7558 famil")
Note Comp&ters that are r&nning Windo's <@, Windo's <>, or Windo's Millenni&m
Edition do not ha,e a #tored *ser Fames and Pass'ords file) Bnstead, "o& sho&ld delete
the &serIs )p'l file) This file is named Username)p'l, 'here Username is the &serIs logon
name) The file is stored in the #"stemroot folder)
Scheduled tas#s@ #ched&led processes ma" be config&red to &sing credentials that ha,e
e1pired)
Persistent drive !a((in$s6 Persistent dri,es ma" ha,e been established 'ith credentials
that s&bse-&entl" e1pired) Bf the &ser t"pes e1plicit credentials 'hen the" tr" to connect to a
share, the credential is not persistent &nless it is e1plicitl" sa,ed b" #tored *ser Fames and
Pass'ords) E,er" time that the &ser logs off the net'ork, logs on to the net'ork, or restarts
the comp&ter, the a&thentication attempt fails 'hen Windo's attempts to restore the
connection beca&se there are no stored credentials) To a,oid this beha,ior, config&re net
use so that is does not make persistent connections) To do this, at a command prompt, t"pe
net use ?(ersistent@no) Alternatel", to ens&re c&rrent credentials are &sed for persistent
dri,es, disconnect and reconnect the persistent dri,e)
Active ,irector" re(lication6 *ser properties m&st replicate bet'een domain controllers to
ens&re that acco&nt locko&t information is processed properl") Oo& sho&ld ,erif" that proper
Acti,e Director" replication is occ&rring)
,isconnected Ter!inal Server sessions6 Disconnected Terminal #er,er sessions ma" be
r&nning a process that accesses net'ork reso&rces 'ith o&tdated a&thentication information)
A disconnected session can ha,e the same effect as a &ser 'ith m&ltiple interacti,e logons
and ca&se acco&nt locko&t b" &sing the o&tdated credentials) The onl" difference bet'een a
disconnected session and a &ser 'ho is logged onto m&ltiple comp&ters is that the so&rce of
the locko&t comes from a single comp&ter that is r&nning Terminal #er,ices)
Service accounts6 !" defa&lt, most comp&ter ser,ices are config&red to start in the sec&rit"
conte1t of the Local #"stem acco&nt) 3o'e,er, "o& can man&all" config&re a ser,ice to &se a
specific &ser acco&nt and pass'ord) Bf "o& config&re a ser,ice to start 'ith a specific &ser
acco&nt and that acco&ntIs pass'ord is changed, the ser,ice logon propert" m&st be &pdated
'ith the ne' pass'ord or that ser,ice ma" lock o&t the acco&nt)
Note Oo& can &se the #"stem Bnformation tool to create a list of ser,ices and the
acco&nts that 'ere &sed to start them) To start the #"stem Bnformation tool, click Start,
click 0un, t"pe win!sd, and then click 7:)
7ther Potential %ssues
#ome additional considerations regarding acco&nt locko&t are described in the follo'ing sections)
Account &oc#out for 0e!ote 'onnections
The acco&nt locko&t feat&re that is disc&ssed in this paper is independent of the acco&nt locko&t
feat&re for remote connections, s&ch as in the Ro&ting and Remote Access ser,ice and Microsoft
Bnternet Bnformation #er,ices CBB#E) These ser,ices and programs ma" pro,ide their o'n &nrelated
acco&nt locko&t feat&res)
%nternet %nfor!ation Services
!" defa&lt, BB# &ses a token2caching mechanism that locall" caches &ser acco&nt a&thentication
information) Bf locko&ts are limited to &sers 'ho tr" to gain access to E1change mailbo1es thro&gh
%&tlook Web Access and BB#, "o& can resol,e the locko&t b" resetting the BB# token cache) /or
more information, see 0Mailbo1 Access ,ia %WA Depends on BB# Token Cache0 in the Microsoft
Gno'ledge!aseLhttp6MMs&pport)microsoft)comMNid;9?84@>)
MSN Messen$er and Microsoft 7utloo#
Bf a &ser changes their domain pass'ord thro&gh Microsoft %&tlook and the comp&ter is r&nning
M#F Messenger, the client ma" become locked o&t) To resol,e this beha,ior, see 0M#F
Messenger Ma" Ca&se Domain Acco&nt Locko&t After a Pass'ord0 in the Microsoft Gno'ledge
!aseLhttp6MMs&pport)microsoft)comMNid;87>>4?)
Account &oc#out Tools
After "o& determine the pattern for the acco&nt locko&ts and narro' do'n "o&r scope to a
specific client comp&ter or member ser,er, "o& sho&ld gather detailed information abo&t all of the
programs and ser,ices that are r&nning on that comp&ter) #ome of the information that "o&
sho&ld obtain incl&des6
Mapped net'ork dri,es
Logon scripts that map net'ork dri,es
0unAs shortc&ts
Acco&nts that are &sed for ser,ice acco&nt logons
Processes on the client comp&ters
Programs that ma" pass &ser credentials to a centrali(ed net'ork program or middle2tier
application la"er
The follo'ing sections disc&ss the tools that "o& can &se to help "o& gather information from the
net'ork en,ironment)
The &oc#outStatus.e*e Tool
The Locko&t#tat&s)e1e displa"s information abo&t a locked o&t acco&nt) Bt does this b" gathering
acco&nt locko&t2specific information from Acti,e Director") The follo'ing list describes the
different information that is displa"ed b" the tool6
,' Na!e6 Displa"s all domain controllers that are in the domain)
Site6 Displa"s the sites in 'hich the domain controllers reside)
)ser State6 Displa"s the stat&s of the &ser and 'hether that &ser is locked o&t of their
acco&nt)
>ad Pwd 'ount6 Displa"s the n&mber of bad logon attempts on each domain controller) This
,al&e confirms the )domain controllers that 'ere in,ol,ed in the acco&nt locko&t)
&ast >ad Pwd6 Displa"s the time of the last logon attempt that &sed a bad pass'ord)
Pwd &ast Set6 Displa"s the ,al&e of the last good pass'ord or 'hen the comp&ter 'as last
&nlocked)
&oc#out Ti!e6 Displa"s the time 'hen the acco&nt 'as locked o&t)
7ri$ &oc#6 Displa"s the domain controller that locked the acco&nt Cthe domain controller that
made the originating 'rite to the &oc#outTi!e attrib&te for that &serE)
Where to 7/tain the &oc#outStatus.e*e Tool
Locko&t#tat&s)e1e is incl&ded 'ith the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t
and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMNLinkBd;949?=)
+ow to %nstall the &oc#outStatus.e*e Tool
To install the Locko&t#tat&s)e1e tool, install the ALTools package on "o&r domain controller))
+ow to )se the &oc#outStatus.e*e Tool
To r&n the Locko&t#tat&s)e1e tool and displa" information abo&t a locked o&t &ser acco&nt6
1. Do&ble2click &oc#outStatus.e*e)
2. %n the ile men&, click Select tar$et)
3. T"pe the &ser name 'hose locko&t stat&s on the enterpriseAs domain controllers "o& 'ant
information abo&t)
The follo'ing fig&re displa"s an e1ample 'here t'o domain controllers ha,e a /adPwd'ount
,al&e of @, 'hich is also the bad pass'ord threshold) %ne domain controller is the PDC
operations master, and the other domain controller is the a&thenticating domain controller) These
t'o domain controllers are displa"ed beca&se of pass'ord chaining from the a&thenticating
domain controller to the PDC)
i$ure 2 The &oc#outStatus.e*e Tool
The A&oc#out.dll Tool
The ALocko&t)dll tool and the Appinit)reg script are incl&ded in the ALTools package) ALocko&t)dll
is a logging tool that ma" help "o& determine the program or process that is sending the incorrect
credentials in an acco&nt locko&t scenario) The tool attaches itself to a ,ariet" of f&nction calls
that a process might &se for a&thentication) The tool then sa,es information abo&t the program or
process that is making those calls into the SystemrootPDeb&gPAlocko&t)t1t file) The e,ents are
time stamped so that "o& can match them to the e,ents that are logged in either the Fetlogon log
files or the #ec&rit" e,ent log files)
Oo& can &se Appinit)reg to initiali(e the )dll file) This file pro,ides no other f&nctionalit")
Note Microsoft does not recommend that "o& &se this tool on ser,ers that host net'ork
programs or ser,ices) Oo& sho&ld not enable ALocko&t)dll on E1change ser,ers beca&se
the ALocko&t)dll tool ma" pre,ent the E1change store from starting)
%!(ortant !efore "o& install the ALocko&t)dll tool on an" mission2critical comp&ter,
make a f&ll back&p cop" of the operating s"stem and an" ,al&able data)
/or more information, see 0Errors Bnstalling E1change #er,er 'ith Clean#'eep0 on the Microsoft
Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;94==89)
Bn most acco&nt locko&t scenarios, "o& sho&ld install ALocko&t)dll on client comp&ters) *se the
information that is stored in both the Fetlogon log file and the #ec&rit" e,ent log to determine the
comp&ters from 'hich the incorrect credentials are being sent that are locking o&t the &serAs
acco&nt) When "o& install the ALocko&t)dll tool on the client comp&ter that is sending the
incorrect credentials, the tool logs the process that is sending the incorrect credentials)
Where to 7/tain the A&oc#out.dll Tool
ALocko&t)dll is incl&ded 'ith the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t and
Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMNLinkBd;949?=)
+ow to %nstall the A&oc#out.dll Tool
There t'o ,ersions of the ALocko&t)dll file) %ne ,ersion of the file is for comp&ters that are
r&nning a Windo's 7555 operating s"stem, and the other ,ersion of the file is for comp&ters that
are r&nning a Windo's HP operating s"stem) Vie' the Readme)t1t file that is incl&ded 'ith the
ALTools package)
To install ALocko&t)dll6
1. %n the comp&ter that has generated acco&nt locko&t error messages in the #ec&rit" e,ent
log, cop" both the ALocko&t)dll and Appinit)reg files to the SystemrootP#"stem87 folder )
2. Do&ble2click the Appinit)reg file to r&n the script) When "o& do this, the ALocko&t)dll file is
registered and can begin pro,iding information)
3. Restart the comp&ter to complete the installation)
+ow to 0e!ove the A&oc#out Tool
To remo,e the ALocko&t)dll file from the comp&ter6
1. Delete the ALocko&t)dll file from the SystemrootM#"stem87 folder)
2. At a command prompt, t"(e re$svr32 ?u aloc#out.dll)
3. Delete the Aloc#out.dll ,al&e that is &nder the follo'ing registr" ke"6
+:=;C&7'A&CMA'+%N=DSoftwareDMicrosoftDWindows NTD'urrent-ersionDWindows
A((%nitC,&&s
After "o& delete the Aloc#out.dll ,al&e, the A((%nitC,&&s registr" ke" is blank)
Restart the comp&ter)
+ow to )se the A&oc#out.dll Tool
Oo& sho&ld &se the ALocko&t)dll tool 'ith Fetlogon logging and sec&rit" a&diting) To &se the
ALocko&t)dll tool6
1. Wait for an acco&nt to lock o&t on the comp&ter)
2. When an acco&nt is locked o&t, the ALocko&t)t1t file is created in the SystemrootPDeb&g
folder)
3. Compare e,ent time stamps in ALocko&t)t1t 'ith the time stamps in both the Fetlogon log
files and the #ec&rit" e,ent log files) When "o& do this, "o& can determine the process that is
ca&sing the locko&ts)
Oo& can &se the ALocko&t)dll tool if "o& ha,e alread" set &p Fetlogon logging, as 'ell as
Gerberos and logon a&diting on the local comp&ter) ALocko&t)dll does not interfere 'ith an" other
logging or e,ent generation)
The A&o%nfo.e*e Tool
Bf acco&nt locko&ts seem to happen most fre-&entl" after a &ser is forced to change their
pass'ord, "o& ma" 'ant to determine 'hich &sersA pass'ords are abo&t to e1pire) Oo& can &se
the ALoBnfo)e1e tool to displa" all &ser acco&nt names and the pass'ord age for those &ser
acco&nts) This 'ill allo' "o& to &se the ALocko&t)dll tool and other acco&nt locko&t tools to set &p
the tools prior to the initial acco&nt locko&t) Oo& can also obtain a list of all local ser,ices and
start&p acco&nt information b" &sing the ALoBnfo)e1e tool)
Note Oo& can also &se the #ecD&mp tool to displa" pass'ord e1piration information in
a Windo's FT #er,er =)5 domain) Oo& can do'nload this tool from the #"stemTools
Web siteLhttp6MM''')somarsoft)com) Fote that Web addresses can change, so "o& might
be &nable to connect to the Web site or sites mentioned here)
Where to 7/tain the A&o%nfo.e*e Tool
The ALoBnfo)e1e file is incl&ded 'ith the ALTools)e1e package that is a,ailable at 0Acco&nt
Locko&t and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMN
LinkBd;949?=)
+ow to %nstall the A&o%nfo.e*e Tool
To install the ALoBnfo)e1e tool, install the ALTools package on "o&r domain controller) The
ALTools package contains the ALoBnfo)e1e tool)
+ow to )se the A&o%nfo.e*e Tool
Oo& can &se ALoBnfo)e1e at a command prompt 'ith either of the follo'ing methods6
To displa" an acco&ntIs pass'ord ages from a domain controller, at a command prompt, t"pe
the follo'ing6
aloinfo ?e*(ires ?server@Domain_Controller_Name
To displa" all local ser,ice start&p acco&nt information and mapped dri,e information for a
&ser 'ho is c&rrentl" logged on, at a command prompt, t"pe the follo'ing command6
aloinfo ?stored ?server@Computer_Name
Oo& can redirect the o&tp&t of ALoBnfo)e1e to a te1t file and then sort the res&lts to determine
'hich &sers ma" be in,ol,ed in the acco&nt locko&t) This information can also be stored for later
anal"sis)
The Acct%nfo.dll Tool
Oo& can &se the AcctBnfo)dll tool to add ne' propert" pages to &ser ob.ects in the Acti,e Director"
*sers and Comp&ters MMC #nap2in) Oo& can &se these propert" pages to help isolate and
tro&bleshoot acco&nt locko&ts and to reset a &serIs pass'ord on a domain controller in that &serAs
local site)
AcctBnfo)dll displa"s the follo'ing &ser acco&nt information that "o& ma" be able to &se to identif"
and resol,e acco&nt locko&t iss&es6
Last time the pass'ord 'as set
When the pass'ord 'ill e1pire
*ser Acco&nt Control Ra' Val&e and Decode
Time the acco&nt 'as locked o&t
Bf the acco&nt is locked o&t no', 'hen it 'ill be &nlocked
#ec&rit" identifier C#BDE of the acco&nt, and its #BD3istor"
Kloball" &ni-&e identifier CK*BDE of the acco&nt
These acco&nt properties6
Last Logon
Last Logoff
Last !ad Logon Time
Logon Co&nt
!ad Pass'ord Co&nt
Oo& can also &se the AcctBnfo)dll tool to obtain the domain pass'ord information Ce1piration,
locko&t time, and so onE) Oo& can t"pe the &serAs comp&ter name in the tool, and then reset the
&serAs pass'ord on a domain controller in that &serAs site)
Note !eca&se of replication latenc", domain controllers ma" store different information
abo&t the same &ser acco&nt) AcctBnfo)dll displa"s information that is retrie,ed from a
single domain controller)
Where to 7/tain the Acct%nfo.dll Tool
The AcctBnfo)dll tool is incl&ded in the ALTools)e1e package that is a,ailable at 0Acco&nt Locko&t
and Management Tools0 on the Microsoft Web siteLhttp6MMgo)microsoft)comMf'linkMNLinkBd;949?=)
+ow to %nstall the Acct%nfo.dll Tool
%n the comp&ter 'here "o& 'ant to r&n Acti,e Director" *sers and Comp&ters MMC #nap2in6
9) Cop" the AcctBnfo)dll file to the #"stem87 folder)
7) At a command prompt, t"pe re$svr32 acctinfo.dll, and then press EFTER)
The AcctBnfo)dll file is registered and is displa"ed on a &serAs propert" sheet in the Acti,e
Director" *sers and Comp&ters MMC #nap2in after "o& follo' these steps)
To &se the Account &oc#out Status b&tton in the tool, ,erif" that Locko&t#tat&s)e1e is in the
SystemrootP#"stem87 folder) Bf Locko&t#tat&s)e1e is not installed in this location, this b&tton is
&na,ailable)
+ow to )se the Acct%nfo.dll Tool
To &se the AcctBnfo)dll tool, open the Acti,e Director" *sers and Comp&ters MMC, right2click a
&ser, click Pro(erties, and then click Additional Account %nfo) An e1ample of the information
that is pro,ided b" AcctBnfo)dll is sho'n in the follo'ing fig&re)
i$ure 3 Main Pro(ert" >o*
The follo'ing fig&re displa"s the domain pass'ord polic" information that "o& can ,ie' to
determine the pass'ord polic" that applies to the domain controller)
i$ure 4 ,o!ain Password Polic"
'han$e Password on a ,o!ain 'ontroller in the )serGs Site
The AcctBnfo)dll tool allo's "o& to increase the f&nctionalit" of the Acti,e Director" *sers and
Comp&ters MMC b" adding the abilit" to reset a &serAs pass'ord in that &serAs local site) When
"o& reset the pass'ord in the remote site, "o& a,oid replication dela"s that can occ&r before that
&ser logs on)
When "o& reset the pass'ord, "o& can also &nlock the acco&nt and set the )ser !ust chan$e
(assword ,al&e) These options are in the 'han$e Password 7n a ,' %n The )sers Site bo1
as displa"ed in the follo'ing fig&re)
i$ure F 'han$e Password 7n a ,' %n The )sers Site
+ow to 0e!ove the Acct%nfo.dll Tool
To remo,e the AcctBnfo)dll tool, delete the AcctBnfo)dll file from the SystemrootM#"stem87 folder,
and then t"pe the follo'ing command at a command prompt6
re$svr32 ?u acctinfo.dll
The =vent'o!/MT.e*e Tool
Oo& can &se the E,entCombMT)e1e tool to gather specific e,ents from e,ent logs from se,eral
different comp&ters into one central location) Oo& can config&re E,entCombMT)e1e to search for
e,ents and comp&ters) #ome specific search categories are b&ilt into the tool, s&ch as acco&nt
locko&ts) Fote that the acco&nt locko&ts categor" is preconfig&red to incl&de e,ents @7<, 4==,
4?@, 4?4, and 4>9)
i$ure H The =vent'o!/MT.e*e Tool
Where to 7/tain the =vent'o!/MT.e*e Tool
The E,entCombMT)e1e tool is incl&ded in the ALTools)e1e package that is a,ailable at 0Acco&nt
LinkBd;949?=)
+ow to %nstall the =vent'o!/MT.e*e Tool
Oo& do not need to install this tool separatel") When "o& install ALTools on the domain controller,
E,entCombMT)e1e is also installed to the director" "o& specified d&ring set&p)
+ow to )se the =vent'o!/MT.e*e Tool
To &se the E,entCombMT)e1e tool, open the folder "o& specified d&ring set&p for ALTools,
do&ble2click =vent'o!/MT.e*e, click the Searches men&, click >uilt in searches, and then
click Account loc#outs) When "o& do this, the e,ents that 'ill be p&lled from the e,ent logs are
a&tomaticall" displa"ed in the tool) These e,ents are from all of the domain controllers in "o&r
en,ironment) Bn addition to @7<, 4==, 4?@, and 4>9, t"pe .22I4 in the =vent %ds bo1, and then
click Search) The tool then searches the comp&ters for these e,ents, and then sa,es them to a
)t1t file that "o& specif")
The N&Parse.e*e Tool
!eca&se Fetlogon log files ma" become more than 95 M! in si(e, "o& ma" 'ant to parse the
files for the information that "o& 'ant to ,ie') Oo& can &se the FLParse)e1e tool to parse
Fetlogon log files for specific Fetlogon ret&rn stat&s codes) The o&tp&t from this tool is sa,ed to a
comma2separated ,al&es C)cs,E file that "o& can open in E1cel to sort f&rther)
Note The ret&rn codes that are specific to acco&nt locko&ts are 51C555554A and
51C555578=)
The follo'ing fig&re displa"s the interface for the FLParse)e1e tool)
i$ure J Netlo$on2Parse 0eturn Status 'odes
Where to 7/tain the N&Parse.e*e Tool
The FLParse)e1e tool is incl&ded in the ALTools)e1e package that is a,ailable at 0Acco&nt
LinkBd;949?=)
+ow to %nstall the N&Parse.e*e Tool
Oo& do not need to install this tool separatel"+ 'hen "o& install ALTools on the domain controller,
FLParse)e1e is also installed)
+ow to )se the N&Parse.e*e Tool
To &se the FLParse)e1e tool, open the folder "o& specified d&ring set&p for ALTools, do&ble2click
Nl(arse.e*e, click 7(en to open the Fetlogon)log file that "o& 'ant to parse, select the check
bo1es for the stat&s codes that "o& 'ant to search for, and then click =*tract) After "o& do this,
,ie' the o&tp&t from the FLParse)e1e tool) T"picall", "o& ma" 'ant to look at both the
51C555554A and 51C555578= code stat&ses to determine from 'here the locko&ts are coming)
The indStr.e*e Tool
Oo& can also &se the /ind#tr)e1e tool to parse Fetlogon log files) /ind#tr)e1e is a command2line
tool that "o& can &se to parse se,eral Fetlogon)log files at the same time) After "o& gather the
Fetlogon)log files from se,eral domain controllers, e1tract information abo&t a specific &ser
acco&nt from the files C&ser9, error code 51C555554A, or error code51C555578=E) Oo& can &se
this tool to help "o& obtain o&tp&t abo&t a &ser, comp&ter, or error code in the Fetlogon)log files)
Where to 7/tain the indStr.e*e Tool
The /ind#tr)e1e tool is incl&ded in the defa&lt installation of Windo's 7555, Windo's HP, and the
Windo's #er,er 7558 famil" operating s"stems) Fo additional installation or config&ration is
re-&ired for the /ind#tr)e1e tool)
+ow to )se the indStr.e*e Tool
To &se the /ind#tr)e1e tool, rename the Fetlogon)log files, and then sa,e the files to one folder)
To parse all of the Fetlogon log files, t"pe the follo'ing command at a command prompt6
indStr ?% 5)ser.6 KnetlogonK.lo$ Lc@Duser1.t*t
The 0e(l!on and 0e(ad!in Tools
Bf "o& ha,e not alread" ,erified Acti,e Director" replication on a domain controller, at a command
prompt, t"pe re(ad!in ?showre(s or re(l!on to ,erif" that proper Acti,e Director" replication is
occ&rring) Bn man" scenarios, "o& ma" find that "o& &nlock an acco&nt b&t the ne' credentials do
not 'ork) This beha,ior t"picall" occ&rs beca&se of replication latenc") Change the &serIs
pass'ord in their local site to a,oid replication latenc" iss&es)
Where to 7/tain the 0el!on and 0e(ad!in Tools
!oth of these tools are incl&ded 'ith the s&pport tools on the Windo's 7555 CD2R%M)
+ow to %nstall and 'onfi$ure the 0e(l!on and 0e(ad!in Tools
/or more information abo&t ho' to obtain and installing Replmon and Repadmin, see the
Windo's #&pport Tools doc&mentation)
Networ# Monitor
Fet'ork Monitor is a po'erf&l tool that "o& can &se to capt&re &nfiltered net'ork comm&nication)
Bf the acco&nt locko&t occ&rs beca&se of a process or program and an acco&nt is alread" locked
o&t on a specific client comp&ter, gather net'ork traces of all traffic to and from that client
comp&ter 'hile the acco&nt is still locked o&t) The program or process most likel" 'ill contin&e to
send incorrect credentials 'hile tr"ing to gain access to reso&rces that are on the net'ork)
Capt&ring all traffic to and from the client ma" help "o& determine 'hich net'ork reso&rce the
process is tr"ing to gain access to) After "o& determine the net'ork reso&rce, "o& can determine
'hich program or process is r&nning on that client comp&ter)
Bf "o& can narro' "o&r search to a specific comp&ter b&t the &ser acco&nt is not "et locked o&t,
keep r&nning Fet'ork Monitor &ntil the locko&t occ&rs for that &ser) After the locko&t occ&rs,
compare the time stamps of e,ents 'hen the in the Fetlogon or #ec&rit" e,ent logs 'ith the data
that 'as capt&red in the trace) Oo& sho&ld see that the net'ork reso&rce that is being accessed
'ith incorrect credentials)
After "o& identif" a program or ser,ice as the ca&se of the locko&t, ,ie' the soft'are
man&fact&rerIs Web site for kno'n resol&tions) This beha,ior t"picall" occ&rs beca&se the
program is r&nning 'ith the c&rrentl" logged on &serAs credentials) Bf a ser,ice is ca&sing the
locko&t, consider creating acco&nts that are specificall" for r&nning ser,ices so &ser acco&nt
pass'ord changes do not affect the ser,ices)
Where to 7/tain Networ# Monitor
The f&ll ,ersion of Fet'ork Monitor is incl&ded 'ith Microsoft #"stem Management #er,er C#M#E)
A limited ,ersion of the tool is incl&ded 'ith Windo's HP and the Windo's 7555 and Windo's
#er,er 7558 families)
+ow to %nstall Networ# Monitor on Su((orted 7(eratin$ S"ste!s
This section describes ho' to install Fet'ork Monitor on both the Windo's 7555 #er,er famil"
and Windo's HP)
Windows 2000 Server
To install Fet'ork Monitor on comp&ters that are r&nning Windo's 7555 #er,er6
1. Right2click M" Networ# Places, and then click Advanced)
2. Click 7(tional networ#in$ co!(onents, and then click Mana$e!ent and Monitorin$)
/or more information, see 03%W T%6 Bnstall Fet'ork Monitor in Windo's 75550 in the Microsoft
Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;7=87?5)
Windows XP
Fet'ork Monitor is incl&ded 'ith the Windo's s&pport tools) /or more information abo&t ho' to
install and config&re Fet'ork Monitor on comp&ters that are r&nning Windo's HP, ,ie' the
follo'ing articles6
03o' to Bnstall the #&pport Tools from the Windo's HP CD2R%M0 on the Microsoft
Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;854?<=)
Description of the Fet'ork Monitor Capt&re *tilit" on the Microsoft Gno'ledge !aseL
http6MMs&pport)microsoft)comMNid;895>?@)
+ow to )se Networ# Monitor
/or information abo&t ho' to &se Fet'ork Monitor to capt&re information, ,ie' the doc&mentation
that is pro,ided 'ith the tool or read 03o' to Capt&re Fet'ork Traffic 'ith Fet'ork Monitor0 on
the Microsoft Gno'ledge !aseLhttp6MMs&pport)microsoft)comMNid;9=><=7)
Su!!ar"
This doc&ment describes the reasons 'h" "o& sho&ld take a str&ct&red approach to setting the
acco&nt and pass'ord polic" feat&res) The doc&ment also pro,ides information abo&t the tools
and log files that "o& can &se to tro&bleshoot acco&nt locko&ts) After "o& read this doc&ment, "o&
sho&ld be able to determine from 'hich comp&ter the acco&nt locko&ts are being generated, as
'ell as the program or ser,ice that is generating the locko&t)
A((endi* 7ne@ Additional 0eferences for Account &oc#out
/or more information abo&t ho' to lock do'n "o&r en,ironment, as 'ell as for more information
abo&t sec&rit" feat&res that are not addressed in this doc&ment, see the follo'ing Microsoft Web
sites6
0Microsoft #ol&tion for #ec&ring Windo's 7555 #er,er0 on the Microsoft TechFet Web siteL
http6MM''')microsoft)comMtechnetMtree,ie'Mdefa&lt)aspN
&rl;MtechnetMsec&rit"MprodtechMWindo'sM#ecWin7kMDefa&lt)asp
0Checklist6 Create #trong Pass'ords0 on the Microsoft Web siteL
http6MM''')microsoft)comMsec&rit"MarticlesMpass'ord)asp
0Fe' Registr" Ge" to Remo,e LM 3ashes from Acti,e Director" and #ec&rit"0 on the
Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;7<<4@4
03%W T%6 Config&re Remote Access Client Acco&nt Locko&t in Windo's 75550 on the
Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;895857
03%W T%6 Pre,ent *sers /rom Changing a Pass'ord E1cept When Re-&ired in
Windo's 75550 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;85<?<<
03%W T%6 Pre,ent *sers /rom #&bmitting Alternate Logon Credentials in Windo's 75550 on
the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;895845
03%W T%6 Manage #tored *ser Fames and Pass'ords on a Comp&ter in a Domain in
Windo's HP0 on the Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;854<<7
0!est Practices for Enterprise #ec&rit"0 on the Microsoft Web siteL
http6MM''')microsoft)comMtechnetMtree,ie'Mdefa&lt)aspN
&rl;MtechnetMsec&rit"MbestpracMbpentMbpentsec)asp
A((endi* Two@ <atherin$ %nfor!ation to Trou/leshoot
Account &oc#out %ssues
Oo& can &se the information in this section to help "o& gather information before "o& start to
tro&bleshoot acco&nt locko&t iss&es) Collect the follo'ing information to tro&bleshoot acco&nt
locko&t iss&es6
'lient Platfor!
Bf client acco&nt locko&ts are occ&rring on a single, common operating s"stem, there ma" be
specific iss&es 'ith the operating s"stem) Different operating s"stems &se different processes for
name resol&tion and a&thentication protocols, and the" ha,e different le,els of sec&rit", so there
might be an infrastr&ct&re or program iss&e) /or more information, see the Microsoft Gno'ledge
!ase article 0#er,ice Packs and 3otfi1es A,ailable to Resol,e Acco&nt Locko&t Bss&es0 on the
Microsoft Web siteLhttp6MMs&pport)microsoft)comMNid;>9??59)
Oo& sho&ld gather the follo'ing information in these sit&ations6
Do &sers log on to m&ltiple comp&ters at the same timeN
Are there an" common patternsN /or e1ample6
Do the comp&ters ha,e the same mapped dri,esN
Do the comp&ters ha,e the same mapped printersN
Do the comp&ters ha,e the same anti,ir&s soft'areN
Do the comp&ters &se management soft'areN
Bs another net'orking client installed on the comp&tersN
Bs #M# installed on the comp&tersN
Does the net'ork incl&de a Wide Area Fet'ork CWAFEN
Bf the comp&ter is r&nning Windo's <@, Windo's <>, Windo's <> #E, or
Windo's Millenni&m Edition, 'hat is the ,ersion of the Vredir),1d fileN
Bf the comp&ter is r&nning Windo's <@, Windo's <>, Windo's <> #E, or
Windo's Millenni&m Edition, is the Director" #er,ices Client installed on the comp&terN
,o!ain Platfor!
When "o& kno' the domain en,ironment, the sec&rit" bo&ndaries, and ho' the &ser is gaining
access to the reso&rces that are in other domains, "o& can better determine the ca&se of the
acco&nt locko&ts) Oo& sho&ld gather the follo'ing information6
The n&mber of domain controllers, incl&ding operating s"stem, location, ser,ice pack le,el,
and so on)
Bs Acti,e Director" and Fetlogon replication occ&rringN
What domain does the &ser log ontoN
List all domain tr&sts that the &ser &ses)
Bs there a matching acco&nt 'ith the same logon name in the tr&sted domainN
Are there an" third2part" #M! ser,ers r&nning in the en,ironmentN
>ac#$round
Look at the client and the net'ork reso&rces that the &ser might be contacting to help "o&
determine the ca&se of the locko&ts) Oo& sho&ld gather the follo'ing information6
When did "o& first notice the locko&tsN
When did the locko&ts startN
What has changed in the en,ironment Cne' programs, ne' net'ork ser,ices, and so onEN
Are there an" identifiable patterns6
After a pass'ord changeN
When the &ser logs onN
When the &ser gains access to mapped dri,esN
When the &ser &ses %&tlookN
When the &ser &ses %&tlook Web AccessN
Are there no identifiable patternsN
3o' man" &ser acco&nts are locked o&t each da", a small gro&p of &sers or a large gro&pN
Bs there an acco&nt pass'ord polic"N
3o' man" bad attempts are allo'ed before a locko&t occ&rsN
3o' m&ch time m&st elapse before the co&nt resetsN
What is the &oc#out,uration registr" ,al&eN
<atherin$ ,ia$nostic %nfor!ation
Kather all of the different log files from Fetlogon, Gerberos, and the e,ent logs to help "o&
determine the ca&se of the locko&t) Diagnostic information that "o& gather from the comp&ter
from 'hich the locko&t is originating ma" help "o& determine the ca&se for the locko&t) Oo&
sho&ld gather the follo'ing information6
Fetlogon log files
Traces
E,ent log files from client comp&ters and domain controllers that are in,ol,ed in the locko&t

Account Lockout Best Practices

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Account Lockout Best Practices

Încărcat de

Drepturi de autor:

Formate disponibile

Account Passwords and Policies

Microsoft Windows NT Server 4.0, Windows 2000, Windows XP, and

S-ar putea să vă placă și