We all have services running on our servers. Many of these services require Active Directory user accounts, which are referred to as service accounts. These service accounts are essential, as they allow services to perform their duties. However, when a service account fails to authenticate back to a domain controller, many issues can arise. If the service account fails to authenticate too many times, the user can then be locked out. Below, you’ll get a better understanding of this issue and learn a good way to handle it.

What can cause a service account to fail to authenticate and therefore lock the user out? In nearly all cases, the issue is an incorrect password. Since the password is hard coded in the service on the Windows server, the root cause is when the user account password is changed in Active Directory but not in the service. Since many service accounts are used for more than one server or service, it can be easy to forget to synchronize passwords for one or more services.

When the service account fails even one time, the service itself will fail. When the user is locked out due to too many failed authentications, the service continues to fail. Usually administrators are only made aware that the service has failed by receiving phone calls from users complaining that their application does not work.

Locking out user accounts after many failed authentications is a configuration related to the password policy. The password policy determines the user account password structure and rules along with lockout thresholds. You can get your current lockout threshold for domain users by running “secpol.msc” on one domain controller in the domain. The output of this should look like what you see in Figure 1.

lockout figure 1

Figure 1. “Secpol.msc” reports the current lockout threshold for domain user accounts.

Finally, most administrators want a service account solution that will do two things. The first thing they want is to have an alert (email is ideal) associated with all service accounts. In the case of a service account password being changed and/or an account being locked out, the administrator can be informed immediately. This alert can then prevent the service from failing and reduce calls from users complaining that their applications are not working.

Next, administrators want to be able to tie locked-out users to service accounts instead of tracking them down manually. A locked-out user account can be an employee or a service account. Service accounts are very important, so it is paramount to know if they are locked out.

To solve both of these issues, you can use ADAudit Plus. ADAudit Plus offers alerts for locked-out service accounts, the full details of which can be found here. It also easily meets the requirements of the second issue with its reporting options. The Account Lockout Analyzer is simple and will indicate if the locked account is a service account on the computer where the lockout was initiated. You can see the Account Lockout Analyzer results in Figure 2.

lockout figure 2

Figure 2. ADAudit Plus Account Lockout Analyzer

ADAudit Plus equips you with real-time alerts to detect and comprehensive reports to troubleshoot service account lockouts.
Learn more | Download for free

Tracking down difficult issues for Active Directory doesn’t need to be hard—you just need the right tool! ADAudit Plus provides custom alerts for when service accounts are modified in any way along with the ability to track locked-out users back to services on computers.