Determining what system is locking AD account

[billybarty]

I have a couple of access accounts for SMS that are constantly locking up. I removed the accounts from the SMS config but they are still locking. Is there a way to tell which computers are trying this account and failing? I've looked through the security logs on the dc for the failures but am unable to see anything useful.

 

[xmsre]

I'd start here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315585

 

[billybarty]

I downloaded the tools and extracted them. I then installed the acctinfo.dll that may help identify which systems are using the bad password by these instructions


. Acctinfo.dll is a DLL that extends the functionality of the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Acctinfo.dll is included in the Windows Server 2003 Resource Kit tools. Installing acctinfo.dll adds the Additional Account Info tab to the user object's Properties page. As the figure at Figure shows, this tab contains a variety of information, including

the last time the password was set
domain password policies
password expiration date
lockout status
last good and bad logons
To install acctinfo.dll, run the command

regsvr32 acctinfo.dll

It registered successfully and I viewed the properties of the account that is locking out and did not see an additional info tab in the properties. Do I have to do anything other than what I have done to get this additional info?

 

[billybarty]

I have read that the dll needs to go in the system32 folder. I have put it in there and registered it and logged off and on the system. Still, I do not see any additional tab when viewing the properties of a user. Is there anything else I am missing?

 

[jpederson]

You can try using the ADSIEDIT or LDP tool to "go to the dark side" and view attributes that are not exposed in the AD Users and Computers GUI.

JP