Appendix Two: Gathering Information to Troubleshoot Account Lockout Issues
Applies To: Windows Server 2003 with SP1
You can use the information in this section to help you gather information before you start to troubleshoot account lockout issues. Collect the following information to troubleshoot account lockout issues:
Client Platform
If client account lockouts are occurring on a single, common operating system, there may be specific issues with the operating system. Different operating systems use different processes for name resolution and authentication protocols, and they have different levels of security, so there might be an infrastructure or program issue. For more information, see the Microsoft Knowledge Base article "Service Packs and Hotfixes Available to Resolve Account Lockout Issues" on the Microsoft Web site.
You should gather the following information in these situations:
Do users log on to multiple computers at the same time?
Are there any common patterns? For example:
Do the computers have the same mapped drives?
Do the computers have the same mapped printers?
Do the computers have the same antivirus software?
Do the computers use management software?
Is another networking client installed on the computers?
Is SMS installed on the computers?
Does the network include a Wide Area Network (WAN)?
If the computer is running Windows 95, Windows 98, Windows 98 SE, or Windows Millennium Edition, what is the version of the Vredir.vxd file?
If the computer is running Windows 95, Windows 98, Windows 98 SE, or Windows Millennium Edition, is the Directory Services Client installed on the computer?
Domain Platform
When you know the domain environment, the security boundaries, and how the user is gaining access to the resources that are in other domains, you can better determine the cause of the account lockouts. You should gather the following information:
The number of domain controllers, including operating system, location, service pack level, and so on.
Is Active Directory and Netlogon replication occurring?
What domain does the user log onto?
List all domain trusts that the user uses.
Is there a matching account with the same logon name in the trusted domain?
Are there any third-party SMB servers running in the environment?
Background
Look at the client and the network resources that the user might be contacting to help you determine the cause of the lockouts. You should gather the following information:
When did you first notice the lockouts?
When did the lockouts start?
What has changed in the environment (new programs, new network services, and so on)?
Are there any identifiable patterns:
After a password change?
When the user logs on?
When the user gains access to mapped drives?
When the user uses Outlook?
When the user uses Outlook Web Access?
Are there no identifiable patterns?
How many user accounts are locked out each day, a small group of users or a large group?
Is there an account password policy?
How many bad attempts are allowed before a lockout occurs?
How much time must elapse before the count resets?
What is the LockoutDuration registry value?
Gathering Diagnostic Information
Gather all of the different log files from Netlogon, Kerberos, and the event logs to help you determine the cause of the lockout. Diagnostic information that you gather from the computer from which the lockout is originating may help you determine the cause for the lockout. You should gather the following information:
Netlogon log files
Traces
Event log files from client computers and domain controllers that are involved in the lockout
Acknowledgements
Ramesh Chinta, Program Manager, Microsoft Corporation
Mike Danseglio, Technical Writer, Microsoft Corporation
Mike Resnick, Technical Lead, Microsoft Corporation
Vincent Abella, Technical Editor, Microsoft Corporation
Jen Bayer, Technical Writer, Microsoft Corporation
Emily Moon, Technical Editor, S&T OnSite
Joseph Vasil, Support Engineer, Microsoft Corporation