AD用户每隔20秒就会被锁定一次

时间:2018-01-04 22:02:21

标签: active-directory

我一直在寻找答案的高低,但我似乎无法弄清楚为什么我们的一些用户每隔30秒就会被锁定一次。我解锁了帐户,然后可以在几秒钟内查看登录尝试将其锁定。我已经尝试了帐户锁定状态和Netwrix等工具,但我找不到导致它的计算机/服务/任务。我确实启用了netlogon日志记录,但它并没有告诉我它来自哪台计算机,而且它也没有在事件查看器日志中说明。任何帮助将不胜感激!!! 我在下面放了一个示例事件和netlogon行:

的Netlogon:

01/04 11:51:07 [登录] [20280] DOMAIN:SamLogon:传输网络登录(null)\ John Jones来自(通过WEB-SERVER)返回0xC000006A(之后没有任何内容)

事件:

失败信息:     失败原因:未知用户名或密码错误。     状态:0xC000006D     子状态:0xC0000064

流程信息:     来电进程ID:0x0     来电者名称: -

网络信息:     工作站名称:
    来源网络地址: -     源端口: -

2 个答案:

答案 0 :(得分:0)

您使用LDAP集成应用程序吗?

建议那些最终用户清除浏览器缓存(如果还没有) - 如果是Windows用户,请清除凭据:

凭据管理器 - > Windows凭据 - >删除"通用凭证"

下的所有条目

您的组织是否对使用AD连接到公司WiFi的用户进行身份验证?如果是,请检查最终用户的移动设备/平板电脑设备是否配置了新密码,最好的方法是忘记连接并使用新凭据重新连接。

过去我们遇到了非常类似的问题,并解决了上述问题。

答案 1 :(得分:0)

我最近为自己做了这件事。

该脚本可以显示发起锁定事件的时间戳,用户名和机器名。

这是代码:

# Set default parameters and variables
param (
    [string]$DomainName = $env:USERDOMAIN,
    [string]$UserName = "*",
    [datetime]$StartTime = (Get-Date).AddDays(-3)
)

# check if current powershell version is 4 or higher

if ($Host.Version.Major -lt "4") {
    Write-Host "`n`nError: You need at least version 4 PowerShell for logging to work, `nCurrent version:"$Host.Version.Major -BackgroundColor Red -ForegroundColor white
    Write-Host "`nBefore you start using this script, please upgrade your PowerShell from Microsoft website!" -BackgroundColor Yellow -ForegroundColor Black
    Read-Host "`n`nScript execution finished, press enter to exit!"
    Exit
}

# Grab the information about your AD forest
$Forest = [system.directoryservices.activedirectory.Forest]::GetCurrentForest()

# Get list of all domain controllers in the forest
$DC = $Forest.domains | ForEach-Object {$_.DomainControllers} | ForEach-Object {$_.Name}


# Prompt user to enter a pacific username or accept default (which means look for all locked out events)
Write-Host "`n`nEnter a UserName to search user specific locked out events `n`nOR `n`nPress enter to search all locked out usernames!" -BackgroundColor Yellow -ForegroundColor Black
sleep 3

$TestName = Read-Host "`nPlease enter a UserName or Press enter"
if ($TestName -ne $null -and $TestName) {[string]$UserName = $TestName}



Write-Host "`nScript will search for locked out events on the following domain controllers..." -BackgroundColor Gray -ForegroundColor Black
$dc

# Search for locked out event of each DC and store them in variable
$dc | foreach {

    Write-Host "`nChecking for locked out events on $_, please wait..." -BackgroundColor Gray -ForegroundColor Black
    $OutPut = Invoke-Command ($_) {

    $ErrorActionPreference = "SilentlyContinue"
    Get-WinEvent -FilterHashtable @{LogName='Security';Id=4740;StartTime=$Using:StartTime} |
        Where-Object {$_.Properties[0].Value -like "$Using:UserName"} |
        Select-Object -Property TimeCreated, 
            @{Label='UserName';Expression={$_.Properties[0].Value}},
            @{Label='ClientName';Expression={$_.Properties[1].Value}}


    $ErrorActionPreference = "Continue"
    } | Select-Object -Property TimeCreated, 'UserName', 'ClientName' |Out-Host

    if ($OutPut -eq $null -and !$OutPut) {Write-Host "`nWarning: No lockout events were found!`nContinuing the search..." -BackgroundColor Yellow -ForegroundColor Black}
    else {$OutPut}
}