Account Lockout (part 2 of 4)

In Microsoft Download Center, search and download “Account Lockout and Management Tools”
Double-click “ALTools.exe” to extract all on 64-bit Windows Server 2008 R2 platformThe related files will be here.

Scenario
One day, someone tell you that her or his account is locked and want to know what happen. In the moment, how to track this status?

By LockoutStatus utility
Right-click “LockoutStatus.exe” next to click Run as administrator in the menu
Click File –> Select Target…Key locked account name as “test_2” into Target User Name and its domain name as “dw.com” into Target Domain Name.
If need to use the enough AD right, please enable “Use Alternate Credentials” check box and key in the related data as User Name, Password and Domain Name.
Now you can know when this account is locked and which DC lock it.Right-click this next to click “Open Event Viewer" in menu
In Event Viewer, expand Windows Logs and right-click Security next to click “Filter Current Log…” in menu
Key in ID numbers as “4625,4740,4771,4772,4777” next to click “OK” button
Now you can see all filtered log
Open each log to realize which computer trigger the locked status.
Maybe we need to log on this computer to realize what reason trigger the locked happen.
According to common causes for account lockouts (reference 3), sometimes we cannot find the root cause event though follow its suggestion.

Reference
(1). Description of security events in Windows Vista and in Windows Server 2008
     or  Description of security events in Windows 7 and in Windows Server 2008 R2
(2). Standalone Utility --- Account Lockout Status (LockoutStatus.exe)
(3). Common Causes for Account Lockouts

<<<   Account Lockout (part 1 of 4)

 Account Lockout (part 3 of 4)   >>>

Set RPC Dynamic Range port on Any Servers

In the DFSR mechanism, it always use RPC Dynamic port to communicate with DC when want to generate the Health Report.
Due to the firewall locates between DFSR Server and DC, so I need to set RPC Dynamic port to fixed port on DC.
How to do it? Add the registry entity,key and value!

Add Registry Entity
By Registry Editor, explore “HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc" and right-click “Rpc" next to click “New", "Key" in menuWrite down “Internet"

Add Registry Key and Value
Right-click “Internet" next to click “New", "Multi-String Value" in menu
Write down “Ports”
Right-click “Ports” and click “Modify…”
Write down “5000-5100” in Value data field next to click “OK” button
Right-click “Internet" next to click “New", "String Value" in menu
Write down “PortsInternetAvailable”
Right-click “PortsInternetAvailable” and click “Modify…”
Write down “Y” in Value data field next to click “OK” button
Right-click “Internet" next to click “New", "String Value" in menu
Write down “UseInternetPorts”
Right-click “UseInternetPorts” and click “Modify…”
Write down “Y” in Value data field next to click “OK” button
Now we have already finished the registry setting.
Restart this Server so that all applications use RPC dynamic port will run on between 5000 and 5100.

In the moment, the firewall need to create a rule for TCP/5000-5100 from DFSR Server to DC. So does that the health report will be generated now.

For reference KB 154596