User Account Lockouts Test
Account lockout is a feature of password security that disables a user account when a certain number of failed logons occur due to wrong passwords within a certain interval of time. The purpose behind account lockout is to prevent attackers from brute-force attempts to guess a user's password.
Other ways accounts can get locked out include:
- Applications using cached credentials that are stale.
- Stale service account passwords cached by the Service Control Manager (SCM).
- Stale logon credentials cached by Stored User Names and Passwords in Control Panel.
- Scheduled tasks and persistent drive mappings that have stale credentials.
- Disconnected Terminal Service sessions that use stale credentials.
- Failure of Active Directory replication between domain controllers.
- Users logging into two or more computers at once and changing their password on one of them.
Any one of the above situations can trigger an account lockout condition, and the results can include applications behaving unpredictably and services inexplicably failing.
This is why, whenever a user complaints of inability to login to his/her desktop, help desk should be able to instantly figure out whether that user's account has been locked out, and if so, why. The User Account Lockouts test provides answers to these questions. This test, at configured intervals, reports the count of locked user accounts and names the users who have been affected by this anomaly.
Target of the test : An Active Directory or Domain Controller
Agent deploying the test : An internal agent; this test cannot be run in an 'agentless' manner
Outputs of the test : One set of results for every Active Directory site that is being monitored
Parameters | Description |
---|---|
Test period |
This indicates how often should the test be executed. |
Host |
The IP address of the machine where the Active Directory is installed. |
Port |
The port number through which the Active Directory communicates. The default port number is 389. |
Detailed Diagnosis |
To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enable/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:
|
Measurement | Description | Measurement Unit | Interpretation | ||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Account lockout events |
Indicates the number of account lockouts that occurred during the last measurement period. |
Number |
A very high value for this measure could indicate a malicious attack, and may require further investigation. If the high lockout rate is not due to any such attacks, then it is recommended that you alter the lockout policy in your environment to minimize the count and consequently, the impact of account lockouts. Microsoft recommends the following policies for high, medium, and low security environments:
|
||||||||
Unique users locked out |
Indicates the number of distinct users who were locked out during the last measurement period. |
Number |
Use the detailed diagnosis of this measure to view the names of these users. |
||||||||
Users currently locked out |
Indicates the number of users who are currently locked out. |
Number |
Use the detailed diagnosis of this measure to know which users are currently locked out. |