Shulou(Shulou.com)06/03 Report--

Recently, I don't know why, many customers'AD accounts are often locked, and recently I found a friend in the 51CTO forum asking, "AD account is locked. Can you find out which IP or client is locked?"

In fact, Microsoft released a tool in the early days, this tool can find out which domain control is locked, and then through the log can roughly locate the locked client, this tool is called: Lockoutstatus

Lockoutstatus download address: https://www.microsoft.com/en-us/download/details.aspx?id=15201

Today, I will briefly show you how to use this tool to reverse trace to the locked client. Needless to say, first of all, we download Lockoutstatus and copy it to any domain control server. I will not introduce the installation too much. In fact, it is the next step along the way, but what you need to remember is the following screenshot, that is, your installation path, because once the installation is completed, you need to go to this path to find the completed application, and the program itself will not create a shortcut.

You can create a shortcut manually after the installation is complete.

To demonstrate, I lock a random account, as shown in the figure:

So next, we double-click the software we just installed, as shown in the figure:

Click the file option File and select the target Select Target

Write down the domain account (locked account) to be queried in the target user name, and click OK

After the scan is complete, you can find a lot of account lock information, including DC name, site, account status, wrong password counter, and the last wrong password time. (since this is a test environment and there is only one AD, there will be many in the real environment, so be sure to find the last wrong password time.)

Find the last error time record, find the corresponding DC name, and log in to this domain control.

After logging in, open the event viewer and select the security log (if it takes a long time, you can find a log backup)

If there are too many logs, you can use the filtering feature to find them.

According to the tooltip, my test account was locked at 13:22:10, so I looked for the log at this time.

We can see clearly that my account is locked on the EXSRV01 computer.

In fact, this is the end, in fact, we can see who was the last user to log on to this (EXSRV01) computer.

Open Power Shell with administrator privileges and enter the command to find out which account is logged into the current terminal.

Get-wmiobject-computername computer name win32_computersystem | format-list username

The account number queried by the system is ITSoul\ Administrator.

That is, the client named EXSRV01 is currently in use by the domain user Administrator.

All that's left, folks, is that you can point to the user's nose and question him.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.