User Account Lockouts Test

Account lockout is a feature of password security that disables a user account when a certain number of failed logons occur due to wrong passwords within a certain interval of time. The purpose behind account lockout is to prevent attackers from brute-force attempts to guess a user's password.

Other ways accounts can get locked out include:

  • Applications using cached credentials that are stale.
  • Stale service account passwords cached by the Service Control Manager (SCM).
  • Stale logon credentials cached by Stored User Names and Passwords in Control Panel.
  • Scheduled tasks and persistent drive mappings that have stale credentials.
  • Disconnected Terminal Service sessions that use stale credentials.
  • Failure of Active Directory replication between domain controllers.
  • Users logging into two or more computers at once and changing their password on one of them.

Any one of the above situations can trigger an account lockout condition, and the results can include applications behaving unpredictably and services inexplicably failing.

This is why, whenever a user complaints of inability to login to his/her desktop, help desk should be able to instantly figure out whether that user's account has been locked out, and if so, why. The User Account Lockouts test provides answers to these questions. This test, at configured intervals, reports the count of locked user accounts and names the users who have been affected by this anomaly.

Target of the test : An Active Directory or Domain Controller

Agent deploying the test : An internal agent; this test cannot be run in an 'agentless' manner

Outputs of the test : One set of results for every Active Directory site that is being monitored

Configurable parameters for the test
Parameters Description

Test period

This indicates how often should the test be executed.

Host

The IP address of the machine where the Active Directory is installed.

Port

The port number through which the Active Directory communicates. The default port number is 389.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option.

The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Account lockout events

Indicates the number of account lockouts that occurred during the last measurement period.

Number

A very high value for this measure could indicate a malicious attack, and may require further investigation.

If the high lockout rate is not due to any such attacks, then it is recommended that you alter the lockout policy in your environment to minimize the count and consequently, the impact of account lockouts. Microsoft recommends the following policies for high, medium, and low security environments:

Security Level Lockout Policy
Low

Account Lockout Duration =Not Defined

Account Lockout Threshold = 0 (No lockout)

Reset account lockout counter after = Not Defined

Medium

Account Lockout Duration =30 minutes

Account Lockout Threshold = 10 invalid logon attempts

Reset account lockout counter after = 30 minutes

High

Account lockout duration = 0 (an administrator must unlock the account)

Account lockout threshold = 10 invalid logon attempts

Reset account lockout counter after = 30 minutes

 

Unique users locked out

Indicates the number of distinct users who were  locked out during the last measurement period.

Number

Use the detailed diagnosis of this measure to view the names of these users.

Users currently locked out

Indicates the number of users who are currently locked out.

Number

Use the detailed diagnosis of this measure to know which users are currently locked out.