• Troubleshooting Locked-out Accounts in a Windows 2008/R2 Domain

    One of my colleagues’ account was constantly being locked out. I suspected that he had used his account to run a service, or other automated task on a server and I needed to find out which one.

    As I’d previously used the Microsoft “Account Lockout and Management Tools”, I downloaded the latest version from here (http://www.microsoft.com/en-gb/download/details.aspx?id=18465). There are two useful utilities “LockoutStatus.exe”, which shows the state of a specific account on each domain controller (useful to identify which DC is locking out the account) and “eventcombMT.exe” which gathers the event logs from all the DC’s and parses them for specific events.

    Although the package runs on 2008 and later OS’ (you need to run it as an administrator, with read access to your domain controller event logs), it only searches for the Event IDs that were valid for Server 2003 and earlier.

    Luckily Microsoft has published the new Event IDs for Server 2008 and later (See: Description of security events in Windows Vista and in Windows Server 2008:http://support.microsoft.com/kb/947226), and the new event id I required was 4740 (“A user account was locked out”), but I also included 4625 (“An account failed to logon”).

    To search for account lockouts with the new event id in EventCombMT:

    1. On the Searches menu, point to Built In Searches, and then click Account Lockouts.
      All domain controllers for the domain appear in the Select To Search/Right Click To Addbox. Also, in the Event IDs box, you see that event IDs 529, 644, 675, 676, and 681 are added.
    2. In the Event IDs box, type a space, and then type 4740 4625 after the last event number.
    3. Click Search.

    Once the search has completed, you should be presented with the output folder (by default it is in C:\Temp) with two or more small text files with the events listed – these should help you identify which machines are causing the lockout.



    Read more »
  • Show Command Multiple Filtering

    Normally when we do show command we make use of the “|” to filter and put in keywords after like include, exclude, begin and section. As we all know “include” means show only that matches the string like for the example below.

    R1#sh run | inc CISCO
     neighbor CISCO peer-group

    We can do some multiple command filtering like the example below using the “include” keyword. Let’s say we want to see the interface name, then the description, the OSPF cost and if its configured with the “mpls ip” command.

    R1#sh run | inc interface |^ description |^ ip ospf cost |^ mpls ip
    interface FastEthernet0/0
    description towards LAN
    ip ospf cost 100
    mpls ip

    The trick is to use multiple “|” and then the regular expression “^”. Then put a space before the string because the configurations under the interface configuration if you do a “show run” has a space before the line. This also applies to the “exclude” keyword but who the heck uses “exclude” that much?




    Read more »