Wednesday, December 02, 2015

Possible Microsoft Active Directory Domain Lockout Bug?

Good day IT admins,

We at NMP Consulting have now had two three four separate clients report that Active Directory accounts are being locked out after a password change. It appears that if the user is logged in anywhere after their password has expired and the user changes it, or if it is changed manually the account is locked out within seconds. This won't happen with local accounts, unless there are Terminal Servers with local accounts that are logged in multiple times. So you may have to look for that as well.

The "old" login (where the user has not logged out) keeps attempting to re-authenticate with the old credentials and locks the user out. What is especially troubling is that the normal default level of logging in your 'Security' event logs do not show the failed attempts. You have to turn up the detail of logging by creating a group policy in order to discover which computer is still logged in with the users' account:

In your Group Policy Editor or Local Computer Policy:

Go to - Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies \ Account Management

Double click Audit User Account Management in the right pane

Check Configure the following audit events - or go to the Policy tab.

Check Success -

Click to enlarge

Reload your policies with GPUpdate.exe if using GPO, or with Local Policies it should be effective immediately (or you can reboot if needed)

Then look for event 4740 in the event logs after that. It should identify the offending computer and account.

Right now this means that people who don't logout their sessions will be punished for their lazy behavior. I myself hate leaving accounts logged in, so this won't affect me directly, but I am guessing a lot of people are getting a rude awaking starting yesterday. I am also guessing it started with a new Microsoft Update as our first reports began yesterday ("Patch Tuesday"), which is the normal day for new bugfixes and security updates being released.