Active-Directory

在 Windows Server 2012 R2 上查找導致帳戶鎖定的應用程序

  • August 17, 2019

我的一個帳戶被 Windows 伺服器鎖定,它是使用產生事件 ID 4740 的安全審核來追踪的。它是一個僅執行 WSUS 服務的 Windows 伺服器 2012 R2。我認為該帳戶幾乎每 90 分鐘就會在 GPupdate 執行時被鎖定一次。我沒有看到使用該使用者名執行的任何計劃任務。

我嘗試在 windows server 2012 R2 上使用 Alockout.dll,但它不會產生任何日誌。我認為它僅適用於 Windows server 2008。我檢查了 2012 R2 伺服器上的事件日誌,並且沒有任何接近鎖定時間的日誌。

我使用“rundll32 keymgr.dll,KRShowKeyMgr”檢查了系統的記憶體憑據,但沒有。

是否有任何應用程序可用於排除故障並找出導致鎖定的服務或應用程序?

從 Active Directory 伺服器上的事件 ID 4625 中找到有關該問題的更多詳細資訊。

An account failed to log on.

Subject:
   Security ID:        NULL SID
   Account Name:       -
   Account Domain:     -
   Logon ID:       0x0

Logon Type:         3

Account For Which Logon Failed:
   Security ID:        NULL SID
   Account Name:       myusername
   Account Domain:     GFT

Failure Information:
   Failure Reason:     Unknown user name or bad password.
   Status:         0xC000006D
   Sub Status:     0xC000006A

Process Information:
   Caller Process ID:  0x0
   Caller Process Name:    -

Network Information:
   Workstation Name:   WSUS_Server
   Source Network Address: -
   Source Port:        -

Detailed Authentication Information:
   Logon Process:      NtLmSsp 
   Authentication Package: NTLM
   Transited Services: -
   Package Name (NTLM only):   -
   Key Length:     0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
   - Transited services indicate which intermediate services have participated in this logon request.
   - Package name indicates which sub-protocol was used among the NTLM protocols.
   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

找出導致問題的機器。

事件 ID 4625 顯示在 Active_Direcotry_server_001 上,伺服器 WSUS_server_001 導致了鎖定,但事實並非如此,wsus_server_001 在帳戶被鎖定後嘗試登錄。

是 WSUS_server_002 打開了一個會話(自從密碼更改後可能線上),並且在不到一分鐘的時間內向 Active_Direcotry_server_002 發送了大約 5 次錯誤密碼,導致鎖定。

重新啟動 WSUS_server_002 伺服器,從那時起就沒有任何鎖定。

我在活動目錄上使用了 netwrix 工具來找出問題所在。

引用自:https://serverfault.com/questions/978941