Active Directory servers are not often seen as one of the most critical applications in an infrastructure, simply because they often work well. However, if a problem happens in the Active Directory system, it will leave behind a lot of unhappy users. A number of routine tasks you perform in your enterprise network rely on Active Directory. When you log into your desktop, you are authenticated by Active Directory. The scripts that execute when you login are controlled by Active Directory. The files you access can be authenticated by Active Directory. Hence, a blip in your Active Directory servers can severely impact the user experience. Therefore, the Active Directory servers need to be monitored carefully and continuously.
One of the common problems that Active Directory administrators have to deal with is lockouts of user accounts. Active Directory servers often have an account lockout policy set. When a user logs in multiple times and does not enter the right credentials, the account is locked out as a precaution against a brute force. Often an Active Directory administrator has to manually unlock the account.
In many cases, account lockouts can happen because of user mistakes (e.g., a user forgetting his/her password, or not typing the password correctly). However, the most frustrating cases of account lockouts are the ones when a user entered the right credentials, yet the account was locked out. In such situations, Active Directory administrators often struggle to figure out what is going on.
Active Directory Accounts can be locked in Numerous Ways
There are many situations in which an account can be locked out without the user knowing:
- Sometimes certain Windows services and scheduled tasks can be configured to run with the privileges of a specific user account. When that account’s credential is changed, an administrator must manually make the changes in the Windows services and scheduled tasks configuration as well. If this is not done the corresponding Windows services and scheduled tasks will fail to execute, and they will also cause incorrect logins to happen.
- Persistent file shares on a system may be configured with user credentials. If these credentials are not updated, they can result in incorrect logins.
- Many a times, programs authenticate using Active Directory. For instance, a Citrix XenApp server is configured to use a specific user account when accessing its backend datastore. If the credentials of this account are modified, every time the Citrix server contacts its datastore, an invalid login will be registered in Active Directory.
- Many organizations implement Active Directory in a redundant configuration. If replication across Active Directory servers is not working correctly, one of the Active Directory servers could have the old credentials for a user account. When the user logs in, this can result in a login failure.
- Users these days access their systems from multiple devices. Password information is stored in each of these devices. When a user changes his password, all of the devices have to be updated with the new password. If the changes are not done correctly on all the devices, invalid logins will occur.
Troubleshooting Active Directory Account Lockouts with eG Enterprise
While many organizations proactively monitor their critical applications – web servers, databases, middleware servers, etc., Active Directory monitoring is often done re-actively, after users complain. As I mentioned earlier, Active Directory issues are often very disruptive. The longer the diagnosis takes, the greater the loss in user productivity.
Most organizations adopt a manual, time-consuming process for handling user lockouts. There are a number of detailed tools available for diagnosis of such problems. Often, such diagnosis has to be done by the experts. If a malicious attack happens on the Active Directory system, many a time, the operations team becomes aware of an account lockout issue only after it is too late.
eG Enterprise provides an automatic and simple way to monitor account lockouts in Active Directory. The AD monitoring system detects the accounts that are currently locked out. It can also be configured to detect and report on any new account lockout events. Alerts will be triggered to administrators as soon as an account lockout is detected. Critically, the alerts are detailed enough, providing administrators with information as to why the lockout happened –which device did the user connect from and which domain did he/she log into. Administrators can also get detailed reports on accounts locked during a specified period.
In addition to alerting administrators and providing a detailed report on user lockout events, eG Enterprise also monitors other aspects of Active Directory performance. For instance, in the above example, the AD monitoring system detected replication failures between Active Directory servers that were causing the account lockouts.
Value Proposition for eG Enterprise
Microsoft provides tools that administrators can use to detect and manage Active Directory account lockouts. The table below summarizes how eG Enterprise can simplify account lockout detection and alerting:
|Automatically detects account lockouts as soon as they occur||No, tools have to be run manually for detecting account lockouts|
|Proactively alerts administrators about account lockouts via email/SMS, before users complains||Administrators are not proactively alerted because of which administrators become aware of an account lockout issue only after it is too late.|
|Automatically find the source of account lockouts – Windows services and scheduled tasks using wrong credentials, Replication failure and a particular Active Directory server having wrong credentials, etc.||No, manual routine investigation configuring for each specific situation must be performed.|
|Monitor multiple domains and domain controller at the same time||No, must connect to each domain controller manually.|
Comprehensive monitoring and diagnosis of Active Directory servers provides several benefits. Given how critical Active Directory is to the functioning of any IT infrastructure, proactive monitoring is a must. With the right Active Directory monitoring capabilities in place, administrators can detect and fix problems quickly – often well before users notice and complain. This greatly improves user productivity and satisfaction.