Wednesday, November 01, 2006

HOWTO use logparser to find what machine locked out an account

I've been in a number of organizations where the mystery of who, what, where, when and how an account got locked out is umm, a mystery. This is because the regular login/logout data and other authentication data is bundled in with the 1 or 10 errors per day. The truth is obfuscated by too much data. The biggest problem always appears to be with service accounts, with a number of dependencies on an account.

It turns out it can be relatively simple to right a MS logparser query to hunt out this information. AKA, logparser is your best friend. The second think to note is EventID 644 indicates the event that is written when an account is locked out. The rest is really the details.

  1. install Logparser - Logparser download from Microsoft
  2. Create a file by the name of lockedaccounts.sql at the same directory as your logparser.exe (or add the folder that holds logparser.exe to the path).
    file contents:

    SELECT timegenerated AS TimeLockedout,
    extract_token(strings, 0, '|') As UserName ,
    extract_token(strings, 1, '|') AS OriginatingMachine,
    EventID,
    SourceName,
    Message,
    CASE EventID
    WHEN 529 THEN 'Invalid userid/password'
    WHEN 531 Then 'Account disabled out'
    WHEN 539 Then 'Account locked out'
    WHEN 530 Then 'Outside of logon time'
    WHEN 532 THEN 'Account Expired'
    WHEN 535 THEN 'Password Expired'
    WHEN 533 THEN 'User not from allowed system'
    WHEN 644 THEN 'Account Auto Locked'
    WHEN 540 THEN 'Successful logon'
    ELSE 'Not specified' END AS EventDesc,
    strings
    INTO lockedact.csv
    FROM \\%DOMAINCONTROLER%\Security
    WHERE EventID=644
  3. run the following command: (it has a 90 second run time on ~500,000 remote eventviewer records)
    C:\>logparser file:lockedaccounts.sql?DOMAINCONTROLER=ADOMAINCONTROLER
  1. Open the lockedact.csv file in Excel. Hunt out the account you want to analyze. The Column ‘OriginatingMachine’ is the machine that locked out the account. The other columns are there for info only. Note that EventID 644 is the one you are interested in (http://www.ultimatewindowssecurity.com/events/com264.htm ).

For more (much, much more) on logparser: http://www.logparser.com

For a more elaboration on logparser scripts see my blog entry on logparser here: Logparser examples and more.

Keywords:Windows, Active Directory, how to, HOWTO use Microsoft logpaser to find what machine locked out an account in Windows, what machine locked out an account.

2 comments:

misan said...

Hi Paul,

I've just learned about LogParser and it is a great tool. I'm usually not using using windows so I wonder if you know how to use LogParser on Linux (or whether there is a Linux version).

Thanks,

Miguel

Paul Cooley said...

Miguel,

Logparser is indeed a powerful tool.
Great question. However, as far as I know there is no port of logparser to linux as of today.

Paul