User account lockouts since Jan WIndows update?

Posted by Inevitable-Buy-3030@reddit | sysadmin | View on Reddit | 12 comments

We seem to have multiple customers with their AD accounts locked out since a possible windows update that occurred.

Has anyone else had this issue?

[-]

Pale-Vermicelli-6861@reddit

Was there any resolution to this? We are seeing it as well

[-]

bobs143@reddit

Was this on the actual user laptops/workstations? Or an update on the AD servers?

What update? Was it just regular patches, or was it an update to 24H2?

What troubleshooting have you done? Any testing done to see if the issue can be replicated?

[-]

Inevitable-Buy-3030@reddit (OP)

End users. Regular January patch Tuesday. Logs on end users machines don't say anything other than the account could not log in.

AD locked the account. All different environments for those affected.

[-]

thortgot@reddit

AD certainly says more than "locked it".

Look for that users credential attempts before lockout, or run a tool like Netwrix lockout examiner.

[-]

Cozmo85@reddit

Ad should show why the account was locked. Review all logs with that persons user

[-]

bobs143@reddit

Is the AD cloud or do you maintain AD locally. I take it your an MSP?

The different environments and customers was a potential give away for me? I could be way off.

What does AD logs show?

[-]

ZAFJB@reddit

No. If this was widespread there would have been lots of noise about it.

It is something local on your systems, and I would not assume it to be update related.

Do some actual diagnosis. Start with the Event logs.

[-]

Inevitable-Buy-3030@reddit (OP)

You're assuming diagnosis has not been done. Sometimes it's faster to ask the question to others to see if it is widespread- it might not be but doesn't hurt to ask. 5 different unrelated companies all different environments raise suspicions especially if no other change has been implemented outside of updates.

[-]

thortgot@reddit

We suspect no diagnosis has been done because you haven't presented any data.

What does AD say about the lock outs? Is this affecting all accounts or just a handful?

[-]

ZAFJB@reddit

You're assuming diagnosis has not been done.

I am sure you would have provide details if you had done any

Sometimes it's faster to ask the question

Sometimes it's ~~faster~~ more lazy to ask the question

[-]

MeatPiston@reddit

The DCs should log event ID 4070 which will list the lockout source. Not perfect but it will let you know if it’s coming from a computer, server, exchange server, radius etc.

[-]

Cozmo85@reddit

What do the logs say?