What is this?

This knowledgebase contains questions and answers about PRTG Network Monitor and network monitoring in general.

Learn more

PRTG Network Monitor

Intuitive to Use. Easy to manage.
More than 500,000 users rely on Paessler PRTG every day. Find out how you can reduce cost, increase QoS and ease planning, as well.

Free Download

Top Tags


View all Tags

Locked out AD user with device description the lockout occured

Votes:

0

Hi there,

I'm using Powershell Active Directoty sensor https://kb.paessler.com/en/topic/57603-is-it-possible-to-monitor-active-directory-user-account-status for tracking locked out users. The script logs the username correctly. Is it possibly to add an option to log the devicename the lockout occured? Thank you.

ad-lockout devicename powershell

Created on Dec 21, 2018 10:24:12 AM



1 Reply

Votes:

0

Hi Randall,

This will be an issue. A lockout occurs on a DC - this could be any DC within your Active Directory.

The lockout property is then synchronized.

But the lockout reason is not stored in Active Directory - in order to see it you need to have appropriate auditing enabled on the DC levels and then actually go to their Security Eventlogs and find the according entry.

https://blogs.technet.microsoft.com/bulentozkir/2009/12/28/active-directory-troubleshooting-account-lockout-information/

In theory it all lockouts might be stored in your PDC eventlogs as well.

Having said this - you would need to look for the according event id's 4740 - this again is a rather time consuming process assuming you would access the security log directly. Especially because you would need to run through all those events and try to identify the most current one with the lockout.

Next you would need to take apart the event entry and try to determine the root cause - or device that caused it.

To add more to the fun - you might have a RADIUS server that points to LDAP - often used for WiFi etc. - well - the lockout might have been caused there - but it was not the RADIUS server host - it was on a client that tried to authenticate against the RADIUS server - this again might have been e.g. a WiFi controller - the controller again wasn't the root cause - it was a client MAC address - cause this would likely be all you get...

Now - it is possible to retrieve all this information and show it. I would not try to gather it from all those various logs in real time - if at all - forward and pre-process those information beforehand - best would be to store them in a database and then if a account is locked out try to determine the according entries in this database - what will be a way less process intensive operation then running through eventlogs etc.. in real time.

The other advantage is - you could send daily reports on this - who was locked out and on what device did this happen - such a report can bring interesting details to light - but it would be independent from PRTG - while PRTG theoretically could use the same database as lockout-reason source.

Hope this helps a little - unfortunately Microsoft does not store such details in Active Directory and therefor it is actually pretty challenging to determine the root cause of a lockout after all.

Regards

Florian Rossmark

www.it-admins.com

Created on Dec 21, 2018 2:44:25 PM




Disclaimer: The information in the Paessler Knowledge Base comes without warranty of any kind. Use at your own risk. Before applying any instructions please exercise proper system administrator housekeeping. You must make sure that a proper backup of all your data is available.