Mauritius Finance

Apr 30 2018

Troubleshooting Active Directory account lockout issues, eventcombmt exe.#Eventcombmt #exe


Learn Exchange the Guru way .

Troubleshooting Active Directory account lockout issues

AD/Exchange pro does often face an issue for which there is little documentation available on internet – User Account lockouts.

I know this, because I have been troubleshooting an account lockout issue for a while with minimal help. So, here we go – My guide for troubleshooting Active Directory account lockout issues

Before entering advanced troubleshooting mode we need to ensure we cover all the basics:

  1. Exchange ActiveSync mobile devices

  • Apple MobileMe – contacts sync

  • Applications / Web applications/ Tools which sync with Active Directory for authentication

  • Vault for credentials in Windows Control Panel or Credential manager

  • Stored usernames and passwords rundll32.exe keymgr.dll, KRShowKeyMgr

    Let s look at each in detail:

    DO NOT listen to the user:

    Eventcombmt exe

    In Exchange management Shell run this:

    Get-ActiveSyncDeviceStatistics -Mailbox MeeraNair

    This is going to return all the devices the user is using right now and past devices which have established connection with Exchange at least once.

    FirstSyncTime : 5/3/2011 2:52:38 AM

    LastPolicyUpdateTime : 3/8/2012 3:32:24 PM

    LastSyncAttemptTime : 3/8/2012 6:11:53 PM

    LastSuccessSync : 3/8/2012 6:11:53 PM

    FirstSyncTime : 7/7/2011 1:38:44 AM

    LastPolicyUpdateTime : 3/8/2012 6:14:20 PM

    LastSyncAttemptTime : 3/8/2012 7:34:09 PM

    LastSuccessSync : 3/8/2012 7:34:09 PM

    Now, educate the user that these are the devices which are syncing with his mailbox and they have his username and password stored. So, look at the LastSyncAttemptTime and make sure it is not an EAS device which is trying to authenticate him.

    2. Apple MobileMe – Contacts sync – Check and ensure the user hasn t configured MobileMe to sync his contacts from Outlook. If this is configured with AD credentials, it can be a reason for account lockout

    3. Applications / Web applications/ Tools which sync with Active Directory for authentication : You heard it right. There might be third party applications which are running which may have AD username and password stored within and lot of times the moment the user open applications like Internet explorer / browser, the application or the tools, it will try to authenticate in the background and lock the password.

    4. Vault for credentials in Windows Control Panel or Credential manager : This is the second most obvious reason the user might get locked out. In my case, the user had an intranet SharePoint web portal and the AD credentials where cached in Credential manager. To open credential manager:

    Eventcombmt exe

    Make sure Windows Credentials area is empty

    Eventcombmt exe

    5. Stored usernames and passwords – This shouldn t be a problem in most cases, but better safe than sorry. Open a run windows and type rundll32.exe keymgr.dll, KRShowKeyMgr and delete stored passwords if any

    6. Rename AD Profile on the user machine : This is more like trying to fix the issue without knowing what s causing it. This is under the assumption that account lockout happens when the user is logged into his client machine. If the account lockout is caused from an application or something from that machine, rename the AD profile on the client from Documents and Settings in XP and Users in Win7 , advise the user to login again and monitor the situation.

    Now let s look at some advanced troubleshooting steps.

    Using the Microsoft Lockout Status tool

  • After extracting the downloaded file, you will have the files below:

    Eventcombmt exe

    3. Open LockOutStatus.exe and click File Select Target As Type the username and User Logon Name as Target User Name (the one which is getting locked out ) and click OK as indicated below:

    Eventcombmt exe

    Eventcombmt exe

    Please ensure that the tool is running on any machine

    4. This will then process the records through all the domain controllers. You can keep a close eye on the column Bad PWD Count.

    5. If the account gets locked out frequently, the Bad Password count keeps increasing. Make a note of that GC which indicates a Bad PWD Count of any value more than 0. Also note that the same value will be indicated by the primary domain controller in the domain which can be ignored.

    Eventcombmt exeIn this case, I will login to DC01 and all the domain controllers in this site and set the following registry:

    Click File Open and Browse the Netlogon.log location

    Eventcombmt exe

    Eventcombmt exe

    9. Once the file is browsed, chose the 2 status codes 0xC000006A and 0xC0000234 and click Extract.

    Eventcombmt exe

    Once the extraction is complete, it will indicate a Pop-Up as indicated below:

    Eventcombmt exe

    10. There will be 2 new files in the location of the Netlogon.log file in the Client machine A new CSV and a summary output file. Eventcombmt exe

    11. Open the CSV file and filter the User Alias for the recent lockout:

    Eventcombmt exe

    This indicates that DC01 received the lockout from DC07.

    In this case, you can perform Steps 6 to 12 again on DC07 and check the machine that the lockout occurs from.

    In my case, I found that DC07 was receiving the lockout from a Cisco Secure ACS Appliance which helped me find that the account was being locked out due to incorrect password to connect to Wi-Fi from a MAC Apple Device. With the help of an the MAC Address provided by the Team that managed the ACS Appliance, we identified that the user has an iPod that was trying to connect to the Wifi and locking out the user due to incorrect password info…

    Again, if none of this works contact Microsoft PSS.

    Keywords: Active directory account getting locked out, AD lockout issue, Active directory credentials getting locked out, AD account getting locked frequently

    Eventcombmt exe

  • Written by admin

    Leave a Reply

    Your email address will not be published. Required fields are marked *