We have a user that is constantly blocked. We checked the logs in the domain controllers and all the information shown is that a WINDROID device is the source. How can I know which device is causing this? Is there a way to analyze this more deeply?
Asked
Active
Viewed 153 times
1
-
1You can be pretty sure this is the users mobile phone. Those kinds of lockouts are commonly because of exchange sync to a phone after a password change. – Reaces Dec 10 '14 at 14:39
1 Answers
1
Sure. I suppose if it's 'WINDROID device' then check you mail server (Exchange?) enable netlogon on it:
nltest /dbflag:2080ffff
Netlogon.txt file is created in %systemroot%/debug directory
correlate timestamps inside log with time when account lockout happens...
don't forget to disable netlogon logging at the end
nltest /dbflag:0
Also you can try using free tool Netwrix Account Lockout Examiner it does simplify investigation
Yan Skursky
- 336
- 1
- 3