contact@securehero.com
Facebook
Twitter
Google+
LinkedIn
YouTube
  • PRODUCTS
    • FILE SYSTEM AUDITOR
    • GROUP REPORTER
    • LOGON REPORTER
    • PERMISSION REPORTER
  • PRICING
  • SUPPORT
  • BLOG
  • ABOUT US
  • CONTACT

Active Directory User and Group Reporting: Locked Out User Accounts

July 22, 2015blogwp_admin

Now that we’ve covered what should be a part of your daily Active Directory groups hygiene, let’s see what should be the top reports to run on users.

One thing that happens in every Active Directory domain daily is user accounts locking out. It is a good practice to have a reasonable Account Lockout policy in place. Most of the time there is a legit explanation behind every account lockout. For example, it can be user’s mail application on mobile device that is using old password. Or a mapped network drive on user’s desktop that is trying to connect to a file share every time the desktop operating system reboots.  But sometimes locked out user accounts can signify a potential brute force attack happening right in front of your eyes. So, how do you review account lockouts and pinpoint ones that should be given more thorough investigation?

For starters, here is a simple PowerShell command that will return all locked out accounts in the domain:

Search-ADAccount –LockedOut

It is beautifully simple but has one downside. It shows a fixed set of attributes for every locked out user account. This information might not be enough to weigh in the severity of each lockout.

To solve this problem, we are calling out another more flexible way of retrieving user account lockouts using the Get-ADUser command let:

Get-ADUser -Filter *  -Properties SamAccountName,LastBadPasswordAttempt,badPwdCount, LockedOut | Where{$_.LockedOut-eq $true} | Select-Object SamAccountName,LastBadPasswordAttempt,badPwdCount

In this one liner we have control over the set of attributes that will be shown for every locked user account. In particular we are pulling the following attributes:

  1. SamAccountName
  2. LastBadPasswordAttempt
  3. badPwdCount

The first two attributes are self explanatory and they just give you some basic context. The badPwdCount attribute is the crown jewel. This attribute keeps counting the number of failed bad password attempts before user successfully logs on.  If this attribute value does not go well beyond max failed password attempts setting in your Account Lockout Policy, then it is probably a poor user that has forgotten his password. If, on the other hand, this count keeps growing from one account lockout to another it can indicate something more serious going on in your network.

Another bit of information that is very helpful in troubleshooting account lockouts is the computer where bad password logon attempts are coming from. Unfortunately, Active Directory does not store this information. To obtain it you can try using scripts that pull this data from event logs or, better yet, rely on products that do that all for you automatically – e.g. SecureHero Logon Reporter.

<< Active Directory User and Group Reporting: A practical guide for administrators

 

 

Previous post What’s New in File System Auditor 1.3 Next post Active Directory User and Group Reporting: Disabled User Accounts

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
  • New product: Group Reporter!
  • Active Directory User and Group Reporting: Users with old passwords

Archives

  • October 2016
  • May 2016
  • November 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • October 2014
  • September 2014
  • July 2014
Facebook
Twitter
Google+
LinkedIn
YouTube

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
home

Orange, CA 92866, US

mail

contact@securehero.com

PricingSupportPrivacy Policy
© 2017 SecureHero LLC