How to troubleshoot account lockout issue

[Note] Event ID applicable to Windows 2003 DC only, but it shouldn't be too difficult to find related W2k8 event IDs.
[Edit Feb 14/2012] Full list of audit events in windows 2008 can be downloaded here, also KB947226
Please read the differences between "Account Logon/logoff" event and "Logon/Logoff" event first.

- First, using lockoutstatus to find out initial authenticating DC (more than often PDC is not the initial authenticating DC. It has same event IDs mentioned below merely because other DCs check with PDC for latest password.) and time of logon attempt

- Then go to authenticating DC, check security log. Pin-point the log entry using time identified by lockoutstatus

- We are looking for: event ID 675 (4771 in w2k8?), the client IP is the offending machine that sent bad pwds

- Failure code in event ID 675(This is corresponding kerberos error code, full list here)

• 0x18: original wrong password
• 0x12: this will be logged after the fact that account has already been locked

- Logon type in event ID 675 ( full list here)

• 2 being interactive
• 3 network
• 5 service
• 10 Remote interactive

Powershell: Predefined Variables

Also called Automatic Variables.

Get-help about_automatic_variable

Time service commands

Determine current time source

w32tm /query /source

Config a manual time source

w32tm /config /manualpeerlist:peers /syncfromflags:manual /update 

Replace "peers" with a list of time servers, delimited by space, enclosed with double quotes.
Ignore KBs that manually set registry entries

Config a manual time source as the top time source in forest

w32tm /config /manualpeerlist:peers /syncfromflags:manual /reliable:yes /update

What you should specify in [peers] value: worth reading:

http://support.microsoft.com/kb/875424

Detect time difference

w32tm /stripchart /computer:TimeServerName /samples:n /dataonly

Set server to use domain hierarchy

w32tm /config /syncfromflags:domhier /update

After change time settings, it's normally required to restart time service

Note: If there is time difference, it takes time for the  system to bring the delta down slowly depending on how much correction can be made in one step. The change is gradual.


[Addition， Jun 13, 2012] When workstations and member servers have trouble synchronizing time with domain, you should check the hierarchy all the way up to forest PDC. I was seeing "The computer did not resync because no time data was available." error, plus time source being "Local CMOS" or "free running OS" etc., in child domain, but the root cause turned out to be forest root PDC wasn't working properly.