Debug lsass.exe to find process responsible for account lockouts

Jan

1/30/24, 6:40 PM

One of our users gets locked from AD once a week. I have identified the source computer which causes the lockout by checking event 4740 on our domain controller.

By monitoring network activity via Procmon from Sysinternal tools, the only process communicating with our domain controller at the time of the lockout is lsass.exe. I can reproduce the account lockout manually by authenticating with a wrong password and verify that it is indeed lsass.exe which causes the lockout.

1..30 | ForEach-Object {Start-Process calc.exe -Credential (New-Object System.Management.Automation.PSCredential ('DOMAIN\USER', (ConvertTo-SecureString 'aaa' -AsPlainText -Force)))}

How do I analyze the lsass.exe further to find out the application that periodically causes these account locks? I have checked everything else on the target machine that has been mentioned in other articles already, my last hope is debugging lsass.exe. If that is not working, the only other option will be to reimage the client. We have checked everything else and did not find the root cause.

337

0 + 0

windows

active-directory

lsass

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Debug lsass.exe to find process responsible for account lockouts

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.