troubleshooting Locked Accounts
?f?s?? ??e? e?e???p????e? Lockout Policy st? Active Directory e??a? s?????? p?? ?a a?t?µet?p?s??µe pa?ap??eµ????? ???ste? p?? ??e?d????a? ??a t?? ??a ? t?? ???? ????. G?a ?a µp???s??µe ?a ep???s??µe p??ß??µata µe “pe??e??a” ??e?d?µata ?a?? e??a? p??ta ?a ?ata???s??µe t?? d?ad??as?a p?? ???ßeta? p?s? ap? t? Lockout,
?? ?e???s??µe p?? ?p???e? ??a AD pe??ß????? p?? ap?te?e?ta? ap? 3 AD Sites ?a? 4 DCs ?p?? fa????ta? pa?a??t? s??µa:
- ? ???st?? - efa?µ??? st???e? ????? ??d???. O DC-1 e????e? t? password µe t? ap????e?µ??? p?? ??e? st?? t?p??? t?? AD ß?s?. Se pe??pt?s? p?? de? ? ??d???? de? e??a? s?st??, t?te
- ? DC-1 p????e? t?? ??d??? st?? PDC Emulator t?? domain ??a t?? pe??pt?s? p?? ??e? a????e? p??sfata ?a? a?t?? (DC-1) de? ??e? e??µe???e?. ?f?s?? de? s?µf??e? ?a? µe t? a?t???af? p?? ?p???e? st?? PDC t?te ? te?e?ta??? ?a a???se? ?at? 1 t?? t?µ? t?? attribute badPwdCount ?a?
- ? PDC ?a ???e? replicate t?? a??a?? t?? badPwdCount st?? DC-1. ?a ß?µata s??e?????ta? ?s? st?????ta? ????? ??d????. ?ta? ft?se? t? ???? t?? lockout t?te ? ???a??asµ?? ??e?d??eta? ap? t?? PDC Emulator. ???µe???eta? t? attributes ms-DS-User-Account-Control-Computed µe t? de?ad??? t?µ? <16> (0x0010 = account locked), ep?s?? ?ata???feta? ? ?????? st? lockoutTime ap? t?? PDC ?a? ?? a??a??? ?????ta? replicate st?? DC-1.
O ?????? fa??eta? ?a? st?? 2 e????e? st?? epoch µ??f? ?a? a? ???ete ?a t?? µetat???ete se p?? a????p??? µ??f? d???µ?ste t? e???: w32tm /ntte <time value>
?? replication p?? pe?????feta? pa?ap??? ???µ??eta? urgent ?? a?t? ??at? ? a?ta??a??, µeta?? DC-1 & PDC, t?? t?µ?? t?? attributes ???eta? ?µesa ????? t?? pa???e?s? t?? ????? p?? ??e? d????e? st? Site Link µeta?? t?? 2 AD Sites. ??t???t?? a? ep??????µe ?a ?e??e?d?s??µe t?? ???st? t?te a?t? de? ap?te?e? urgent replication a??? ?a a???????se? t? ?a?????? ?????d????aµµa t?? replication ?p??? ?? a? e??a? a?t?. G?’ a?t? ?a? p??te??eta? t? Unlock ?a ???eta? ap’ e??e?a? st?? DC p?? ? ???st?? ???e? logon.
??a s???? p??ß??µa e??a? ?ta? ??p???? ???st?? a????e? ??d??? ?a? t?? ep?µe?e? ?e?e? ? µ??e? ? ???a??asµ?? t?? ??e?d??eta? ????? ??p???? p??fa?? ????. ??? pe??ss?te?e? f???? a?t? s?µßa??e? ??at? ??e? ap?µe??e? ??p??? p????aµµa ? disconnected remote desktop connection p?? e?te?e?ta? a??µa µe ta p??????µe?? credentials. G?a ?a e?t?p?ste? ap? p?? ?????ta? ?? ?a??asµ???? ??d???????s?µ?p????µe t? lockoustatus.exe p?? ß??s?eta? st? Windows 2003 Resource Kit ? st? ALTOOLS.
??te???µe t? lockoustatus.exe ?a? File -> Select target ?p?? d????µe t? username t?? ??e?d?µ???? account. ?p? ta ded?µ??a p?? ß??p??µe e?d?af???? ????? ta "Last Bad Pwd" ?a? “Lockout Time” ?p?? a?a???feta? ? ?????? ?a? se p??? DC st?????a? ?? ????? ??d????. St?? pe??pt?s? t?? p??????µe??? pa?ade??µat?? p??pe? ?a ß???µe 2 DCs µe t?? ?d?e? t?µ?? st? "Last Bad Pwd", a?t?? e??a? ?? DC-1 & o PDC. ?? lockoutstatus pa???e? p??sßas? µe de?? ???? st?? event viewer ap? ???e DC. ?p?te a??????ta? t? Security Event Viewer t?? PDC ? t?? DC-1 ??????µe ??a events µe ID 644 t?? ?d?a ??????? st??µ? µe t? “Lockout Time”.
St? event 644 fa??eta? ?a?a?? p??? e??a? t? “Caller Machine Name” t? workstation ap? t? ?p??? p?????e ? ????? ??d????. ?ts? a?t? p?? ap?µ??e? e??a? ?a ß?e?e? st? s???e???µ??? workstation t? e?te?e?ta? µe t? ????? password.
?p?p???? st?? pe??pt?s? p?? ????µe ?ata???e? st? workstation a??? de? ß??s???µe p??a efa?µ??? ? service ??e?d??e? t? ???a??asµ?, st? ALTOOLS ?p???e? t? alockout.dll ?p?? a? ???e? ???s?µ?p????e? ?p?? pe?????feta? st? readme.txt t?te pa???e? t? \windows\debug\Alockout.log ?p?? ?ata???f??ta? ??e? ?? efa?µ???? p?? ?????? ???s? credentials.
Se ep?µe?? ?ata????s? ?a pa???s??s? p?? fa??eta? t? kerrberos authentication µ?sa ap? network traces ?a? p?? µp????µe ?a? ap? e?e? ?a ?????µe troubleshoot pa??µ??a se????a.