Wednesday, November 01, 2006

HOWTO use logparser to find what machine locked out an account

I've been in a number of organizations where the mystery of who, what, where, when and how an account got locked out is umm, a mystery. This is because the regular login/logout data and other authentication data is bundled in with the 1 or 10 errors per day. The truth is obfuscated by too much data. The biggest problem always appears to be with service accounts, with a number of dependencies on an account.

It turns out it can be relatively simple to right a MS logparser query to hunt out this information. AKA, logparser is your best friend. The second think to note is EventID 644 indicates the event that is written when an account is locked out. The rest is really the details.

  1. install Logparser - Logparser download from Microsoft
  2. Create a file by the name of lockedaccounts.sql at the same directory as your logparser.exe (or add the folder that holds logparser.exe to the path).
    file contents:

    SELECT timegenerated AS TimeLockedout,
    extract_token(strings, 0, '|') As UserName ,
    extract_token(strings, 1, '|') AS OriginatingMachine,
    CASE EventID
    WHEN 529 THEN 'Invalid userid/password'
    WHEN 531 Then 'Account disabled out'
    WHEN 539 Then 'Account locked out'
    WHEN 530 Then 'Outside of logon time'
    WHEN 532 THEN 'Account Expired'
    WHEN 535 THEN 'Password Expired'
    WHEN 533 THEN 'User not from allowed system'
    WHEN 644 THEN 'Account Auto Locked'
    WHEN 540 THEN 'Successful logon'
    ELSE 'Not specified' END AS EventDesc,
    INTO lockedact.csv
    WHERE EventID=644
  3. run the following command: (it has a 90 second run time on ~500,000 remote eventviewer records)
    C:\>logparser file:lockedaccounts.sql?DOMAINCONTROLER=ADOMAINCONTROLER
  1. Open the lockedact.csv file in Excel. Hunt out the account you want to analyze. The Column ‘OriginatingMachine’ is the machine that locked out the account. The other columns are there for info only. Note that EventID 644 is the one you are interested in ( ).

For more (much, much more) on logparser:

For a more elaboration on logparser scripts see my blog entry on logparser here: Logparser examples and more.

Keywords:Windows, Active Directory, how to, HOWTO use Microsoft logpaser to find what machine locked out an account in Windows, what machine locked out an account.


Miguel Sánchez said...

Hi Paul,

I've just learned about LogParser and it is a great tool. I'm usually not using using windows so I wonder if you know how to use LogParser on Linux (or whether there is a Linux version).



Paul Cooley said...


Logparser is indeed a powerful tool.
Great question. However, as far as I know there is no port of logparser to linux as of today.


Anonymous said...

一夜情聊天室,一夜情,情色聊天室,情色,美女交友,交友,AIO交友愛情館,AIO,成人交友,愛情公寓,做愛影片,做愛,性愛,微風成人區,微風成人,嘟嘟成人網,成人影片,成人,成人貼圖,18成人,成人圖片區,成人圖片,成人影城,成人小說,成人文章,成人網站,成人論壇,情色貼圖,色情貼圖,色情A片,A片,色情小說,情色小說,情色文學,寄情築園小遊戲, 情色A片,色情影片,AV女優,AV,A漫,免費A片,A片下載