Tracking Account Lockouts in Quest Change Auditor
I really like Quest’s ChangeAuditor (CAAD) tool. It allow such easy reporting and alerting on (and protection from) changes to your AD forests. There are a few shortcomings though, principally in how users can access the data, e.g. it’s not possible to easily ‘scope’ the console so that non-admin users can see things of interest. It is however a relatively easy to read SQL schema so that we can do custom things with it.
One of the things I like to do for all new clients is to setup an ASP.NET website to allow admin staff and users to see information about account lockouts, such as which machine locked it out and when. With the gradual creep of non-enterprise standard devices such as iPads, iPhones etc there are more pressures put on helpdesk staff as there are more places for things to go wrong. iPads/iPhones are particularly bad at dealing with credentials and as soon as you change your domain pw that wireless profile you setup on your iPad is going to keep locking out your domain account!
CAAD to the rescue! Simply open your CAAD SQL box and create a stored procedure as follows:
USE [ChangeAuditor] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE PROCEDURE [dbo].[usp_zAccountLockouts] AS BEGIN SET NOCOUNT ON; SELECT TOP 5000 AET.TimeDetected, AET.UserAddress, AET.UserName, ISNULL(TSR.ServerName, TWP.MachineName) AS ServerName, ISNULL(TDN.DomainName, TWP.WorkgroupName) AS DomainName, AET.TimeZoneOffset FROM Audit.Event AS AET INNER JOIN [Event].Class AS ECS ON AET.EventClassID = ECS.EventClassID INNER JOIN [Event].[Action] AS EAN ON AET.ActionID = EAN.ActionID LEFT OUTER JOIN Topology.[Server] AS TSR ON AET.AgentID = TSR.ServerID LEFT OUTER JOIN Topology.Domain AS TDN ON TSR.DomainID = TDN.DomainID LEFT OUTER JOIN Topology.Workgroup AS TWP ON AET.AgentID = TWP.MachineID WHERE AET.TimeDetected >= DATEADD(hour, -2, GETDATE()) and EventClassName = 'User Account Locked' ORDER BY TimeDetected DESC END
This will show all account lockouts in the last 2 hours for the domains/forests that your CAAD installation manages. You can then run the stored procedure from your ASP.NET page and give all users access to the website, no special permissions required, so they can see from which computer their account was locked out, and at what time.
And the iPads? Well typically if a lockout is caused by an iDevice then it is from the wifi profile. Typically the wifi controller will be a Cisco WCS and report itself as CISCO in this tool.
So now instruct the users to read the knowledgebase article on the intranet about lockouts, and check this webpage. It’s amazing how the password unlock/reset calls drop away once this is implemented!