Executive Summary:

In Windows networks, troubleshooting locked-out accounts can take a lot of time and effort. Fortunately, Microsoft's Account Lockout and Management Tools can help reduce the amount of time and effort it takes to locate the root causes of locked-out accounts. EventCombMT.exe, LockoutStatus.exe, and NLParse.exe are three tools in the Account Lockout and Management Tools you should come familiar with if you often have account lockouts.

Troubleshooting locked-out accounts can be difficult and time-consuming. Cached credentials on drive mappings, Microsoft IIS application pools, COM+ objects, scheduled tasks, services, and interactive logons are all common causes of account lockouts. Fortunately, Microsoft provides tools and techniques to help you narrow the search for the root cause, including the Account Lockout and Management Tools. You can download these tools from the Microsoft Download Center .

At my organization, we recently used the following tools to locate the root cause of a locked-out account that was discovered during one of our regularly scheduled password changes:

EventCombMT.exe. Event- CombMT.exe collects and filters events from the event logs of domain controllers (DCs) within a specified domain. This tool features a built-in search for account lockouts, which defaults the search to the security log. It populates the Event ID field with relevant event IDs (i.e., IDs of events that pertain to locked-out accounts). Consolidating the lockout events into text files in a common folder provides a quick way to search for the locked-out account and the name of the server or workstation from which the lockout originated.

LockoutStatus.exe. LockoutStatus.exe examines all DCs in a domain, letting you know when the target account last locked out and from which DC. In addition, it provides the locked-out account’s current status and the number of bad password attempts that have been made. Depending on the topology of the Windows domain, this information can help you determine whether the server or workstation locking out the account is located at a particular site.

Netlogon logging used for tracking Netlogon and NT LAN Manager (NTLM) events. Enabling Netlogon logging on all DCs is an effective way to isolate a locked-out account and see where the account is being locked out. The Microsoft article “Enabling debug logging for the Net Logon service” (support.microsoft.com/kb/109626) contains information about how to enable Netlogon logging on the various versions of Windows. Although Netlogon logging isn’t part of the Account Lockout and Management Tools, NLParse.exe is used to parse the Netlogon logs—and NLParse.exe is one of the account lockout tools. Enabling Netlogon logging can create large files quickly, so using NLParse.exe to locate relevant events in the Netlogon log can save time when troubleshooting lockouts. The output from NLParse.exe is extracted to comma-separated value (CSV) file, where it can be easily searched or sorted.

The Account Lockout and Management Tools helped us reduce the amount of effort it took to locate the root cause of our locked-out account. They helped us target our energy at specific servers or workstations in our organization.

—Brent McCraney,
Senior Technical Analyst,
Ontario Teachers’ Pension Plan