我一直在寻找答案的高低,但我似乎无法弄清楚为什么我们的一些用户每隔30秒就会被锁定一次。我解锁了帐户,然后可以在几秒钟内查看登录尝试将其锁定。我已经尝试了帐户锁定状态和Netwrix等工具,但我找不到导致它的计算机/服务/任务。我确实启用了netlogon日志记录,但它并没有告诉我它来自哪台计算机,而且它也没有在事件查看器日志中说明。任何帮助将不胜感激!!! 我在下面放了一个示例事件和netlogon行:
的Netlogon:
01/04 11:51:07 [登录] [20280] DOMAIN:SamLogon:传输网络登录(null)\ John Jones来自(通过WEB-SERVER)返回0xC000006A(之后没有任何内容)
事件:
失败信息: 失败原因:未知用户名或密码错误。 状态:0xC000006D 子状态:0xC0000064
流程信息: 来电进程ID:0x0 来电者名称: -
网络信息:
工作站名称:
来源网络地址: -
源端口: -
答案 0 :(得分:0)
您使用LDAP集成应用程序吗?
建议那些最终用户清除浏览器缓存(如果还没有) - 如果是Windows用户,请清除凭据:
凭据管理器 - > Windows凭据 - >删除"通用凭证"
下的所有条目您的组织是否对使用AD连接到公司WiFi的用户进行身份验证?如果是,请检查最终用户的移动设备/平板电脑设备是否配置了新密码,最好的方法是忘记连接并使用新凭据重新连接。
过去我们遇到了非常类似的问题,并解决了上述问题。
答案 1 :(得分:0)
我最近为自己做了这件事。
该脚本可以显示发起锁定事件的时间戳,用户名和机器名。
这是代码:
# Set default parameters and variables
param (
[string]$DomainName = $env:USERDOMAIN,
[string]$UserName = "*",
[datetime]$StartTime = (Get-Date).AddDays(-3)
)
# check if current powershell version is 4 or higher
if ($Host.Version.Major -lt "4") {
Write-Host "`n`nError: You need at least version 4 PowerShell for logging to work, `nCurrent version:"$Host.Version.Major -BackgroundColor Red -ForegroundColor white
Write-Host "`nBefore you start using this script, please upgrade your PowerShell from Microsoft website!" -BackgroundColor Yellow -ForegroundColor Black
Read-Host "`n`nScript execution finished, press enter to exit!"
Exit
}
# Grab the information about your AD forest
$Forest = [system.directoryservices.activedirectory.Forest]::GetCurrentForest()
# Get list of all domain controllers in the forest
$DC = $Forest.domains | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}
# Prompt user to enter a pacific username or accept default (which means look for all locked out events)
Write-Host "`n`nEnter a UserName to search user specific locked out events `n`nOR `n`nPress enter to search all locked out usernames!" -BackgroundColor Yellow -ForegroundColor Black
sleep 3
$TestName = Read-Host "`nPlease enter a UserName or Press enter"
if ($TestName -ne $null -and $TestName) {[string]$UserName = $TestName}
Write-Host "`nScript will search for locked out events on the following domain controllers..." -BackgroundColor Gray -ForegroundColor Black
$dc
# Search for locked out event of each DC and store them in variable
$dc | foreach {
Write-Host "`nChecking for locked out events on $_, please wait..." -BackgroundColor Gray -ForegroundColor Black
$OutPut = Invoke-Command ($_) {
$ErrorActionPreference = "SilentlyContinue"
Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
Select-Object -Property TimeCreated,
@{Label='UserName';Expression={$_.Properties[0].Value}},
@{Label='ClientName';Expression={$_.Properties[1].Value}}
$ErrorActionPreference = "Continue"
} | Select-Object -Property TimeCreated, 'UserName', 'ClientName' |Out-Host
if ($OutPut -eq $null -and !$OutPut) {Write-Host "`nWarning: No lockout events were found!`nContinuing the search..." -BackgroundColor Yellow -ForegroundColor Black}
else {$OutPut}
}