How to troubleshoot account lockouts in Active Directory

IT Support Tip of the Day When troubleshooting account lockouts in Active Directory don’t just reset the password. Use the Event Viewer Security logs on the domain controllers to find the exact workstation or service causing repeated failures Tools like LockoutStatus.exe from Microsoft Sysinternals make it easier to trace the source Finding the root cause prevents repeated lockouts and improves user productivity #ITSupport #ActiveDirectory #TechTips #accountlockout

Brandon makes a very good point about password resets. This can be specifically helpful for users with multiple mobile devices. Sometimes your old Android sitting at home is still trying to periodically check email or authenticate an account with the wrong credentials which can lead to the account being locked out very quickly for no immediately visible reason. I have used Systernals and specifically LockoutStatus.exe many times to help troubleshoot issues.

🔒 Troubleshooting: Active Directory Account Lockouts One of the most frustrating issues for both users and admins: “My account keeps getting locked every few minutes!” 🔍 Root Causes: User entered wrong password repeatedly. Saved credentials (Outlook, mapped drives, mobile devices) still using old password. Services running under the user’s account with outdated credentials. Replication delays between DCs causing inconsistent lockout status. ✅ Solution: Identify the locking DC: Event Viewer → Security Logs → Event ID 4740 This shows which computer locked the account. Trace the source of bad logons: Check Workstation Name in the log. Look for scheduled tasks, services, or drives using old credentials. Use Microsoft’s Account Lockout and Management Tools (ALTools) → LockoutStatus.exe to quickly locate the source DC. Reset password, update stored credentials (control keymgr.dll), and restart affected services. If replication delays → Run repadmin /replsummary and fix DC sync issues. 💡 Pro tip: Encourage users to update saved credentials on all devices (mobile email apps are often the culprit). #ActiveDirectory #AccountLockout #SysAdmin #WindowsServer #Troubleshooting #ITSupport #TechTips

🔒 Troubleshooting: Active Directory Account Lockouts One of the most frustrating issues for both users and admins: “My account keeps getting locked every few minutes!” 🔍 Root Causes: User entered wrong password repeatedly. Saved credentials (Outlook, mapped drives, mobile devices) still using old password. Services running under the user’s account with outdated credentials. Replication delays between DCs causing inconsistent lockout status. ✅ Solution: Identify the locking DC: Event Viewer → Security Logs → Event ID 4740 This shows which computer locked the account. Trace the source of bad logons: Check Workstation Name in the log. Look for scheduled tasks, services, or drives using old credentials. Use Microsoft’s Account Lockout and Management Tools (ALTools) → LockoutStatus.exe to quickly locate the source DC. Reset password, update stored credentials (control keymgr.dll), and restart affected services. If replication delays → Run repadmin /replsummary and fix DC sync issues. 💡 Pro tip: Encourage users to update saved credentials on all devices (mobile email apps are often the culprit). #ActiveDirectory #AccountLockout #SysAdmin #WindowsServer #Troubleshooting #ITSupport #TechTips

Group Policy Preferences: A Legacy Feature with Modern-Day Risks Group Policy Preferences (GPP) was once a convenient way to manage local admin passwords across machines in an AD domain. But convenience came at a cost: passwords were stored in an encrypted format that could be easily reversed using a publicly known key. Despite Microsoft’s 2014 patch (MS14-025), many environments still contain legacy GPP password files in SYSVOL—making them a prime target for attackers. Tools like Get-GPPPassword.py are actively used by threat actors to extract these credentials and move laterally. The good news? You can detect and eliminate these risks. Semperis Directory Services Protector (DSP) continuously scans for exposed GPP password files, alerting you to indicators of exposure. And Microsoft’s cleanup script can help remove them. For a more secure future, move to Windows LAPS or another PAM solution that ensures unique local admin passwords across your environment. 🔍 Dive into the full blog to learn more about protecting your AD environment: https://lnkd.in/g_e9PXUm #ActiveDirectorySecurity #IdentityAttackCatalog #GroupPolicyPreferences #CredentialAccess

Some great additions in VulnCheck's latest initial access intelligence release: • CVE-2025-25256: Fortinet FortiSIEM command injection • CVE-2025-46811: SUSE Manager RemoteMinionCommands WebSocket RCE • CVE-2025-32778: Web-Check unauthenticated command injection RCE • CVE-2022-30622: CHCNAV P5E GNSS information disclosure (underscored) • CVE-2020-1147: Microsoft SharePoint .NET core deserialization RCE As usual, the initial access research team provides not just exploits for these puppies, but also PCAPs, network signatures, ASM engine queries, and more to deliver true, 360-degree visibility into new threats and attack vectors 🎉 And a bonus addition — initial access data now includes a censysLegacyQueries field in order to maintain support for both new Censys platform queries and legacy queries many folks still rely on. Full release notes: https://lnkd.in/eryv-ZvH

Moniker Link CVE in Microsoft Outlook using Remote Code Execution(RCE) and Credential Leak with a severity CVE score 9.8

Must-know CMD commands that every IT Support person should have in their toolbox: 🔹 Network Troubleshooting Check IP configuration ipconfig /all 👉 Shows detailed IP, DNS, and gateway information. Release & renew IP address ipconfig /release ipconfig /renew 👉 Useful when fixing DHCP or network connection issues. Test connectivity ping google.com 👉 Checks if the machine can reach a website/server. Trace route tracert google.com 👉 Tracks the path packets take to a destination, good for diagnosing latency. Check open network connections netstat -ano 👉 Shows active connections and ports in use (great for spotting malware or port conflicts). 🔹 System & User Management View computer name & domain info hostname See logged-in users query user List all local users net user Add a new user (Admin only) net user Username Password /add Change another user’s password (Admin only) net user Username NewPassword 🔹 File & System Utilities Check disk health chkdsk C: Scan system files for corruption sfc /scannow List directory contents (with details) dir Check Windows version winver (or) systeminfo Shutdown or restart a PC shutdown /r /t 0 👉 Restarts immediately. shutdown /s /t 60 👉 Shuts down in 60 seconds (good for remote notices).

RDP Detection Isn't Always Logon Type 10 When investigating Windows Event Logs, many analysts filter on Event ID 4624 (Successful Logon) with Logon Type 10 to detect RDP sessions. But here's the catch: you'll miss a lot of real RDP activity if you only rely on that filter. Here's an example scenario: EID 4624 shows a logon with Logon Type 7 (normally "workstation unlock"). EID 4801 confirms this as a "system unlock." An EID 4778 (Session Reconnect) appears, tied to an RDP-Tcp# session - clear evidence of an RDP reconnect. What actually happened: an existing RDP session wasn't terminated, it was simply reconnected. Windows logged this as Logon Type 7 instead of the expected 10. To complicate things further: With NLA (Network Level Authentication) enabled, RDP logons may also show up as Logon Type 3 (Network) instead of 10. Detection Implication: If you only search for 4624 + Logon Type 10, you'll miss RDP reconnects and NLA sessions. Better Approach: Track RDP using a combination of events: 4624 with Logon Types 3, 7, or 10 4778 (Session Reconnect) 4779 (Session Disconnect) additionally, hunting for "mstsc.exe" process execution on the source machine, or "rdpclip.exe" and "tstheme.exe" execution on the target machine would be a great approach. Correlating these events gives a more accurate picture of RDP activity in your environment!

Looking to keep your computer files safe? Take this precautionary step.