RDP : New Password, Account Lockout

Well, this is another one that seems simple to fix with the options you get in Active Directory, lets set the scene, you have updated your password inline with your company policy and since then you are being locked out - and you wonder why?

Lockout 101 : Event ID 4740

Well, the first port of call should be the Security Event ID 4770 on the Domain Controller with the FSMO role "PDC Emulator" as this will need to log all the lockouts, so this is a good place to start, that will look like this when you filter it:



That will then give you something like this:

A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: BearDC1$
Account Domain: BEAR
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: BEAR\lockout.user
Account Name: lockout.user

Additional Information:
Caller Computer Name: PESKYRDPSESSION

Query the RDP session on the server

This will tell you that in this instance the user lockout.user has been locked on the server "PRESKYRDPSESSION" and this is because the user has not logged off the session, which sounds simple but lets look further, this is an active session using the query command:

query session /server:beardc1

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console                                     1  Conn
 rdp-tcp#54        admlcrouc2                6  Active
 rdp-tcp                                 65536  Listen

Disconnecting not logging off ?

You can clearly see my session above (the one in bold) and it is "Active" which means I am using it, however when I have finished with my session if I end my session like this:



I then get this dialogue, and if you do not get this it means you have ticked the "Don't display this message again" and this is where your fault lies, and this will put you session in a disconnected state, it did warn you......


If I run that same command again, you will now notice the status is "Disc" for "Disconnected" this is not a good place to leave you account as it is still logged into the server only disconnected.

query session /server:beardc1

 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console                                     1  Conn
 rdp-tcp#54        admlcrouc2                6  Disc
 rdp-tcp                                 65536  Listen

Reset you session that is Disconnected

If you wish to reset this session you can use, for this example, this command:

reset session /server:beardc1 6

Logoff the server correctly

This is not really new advice, but to login a server you need to click the start button then your user logo then "Sign out" or from the cmd/powershell you can use "logoff"


Then when you run that command again you get this, after you have logged off as you should have done to start with, notice you session is not there:

SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 services                                    0  Disc
 console                                     1  Conn
 rdp-tcp                                 65536  Listen

Right, this only covers one server what about all the others, well that is also simple to fix, from the ADDS users and computers, open the user in question, and then select the Session tab as below:


This will show you the default RDP session timeout and reconnection settings, notice these are set to Never for "end a disconnected session" and "Active limit" and "Idle session limit" and the default apply action is "Disconnect from session" - so this particular example this is all wrong as you can see.

This is the reason the session remains disconnected and an account lockout occurs when they change their password, so lets update this to new values as below:


This update will then mean that 30 minutes after being disconnected the session will end rather than disconnect, however this will only apply to new RDP sessions not existing disconnected ones, but this will stop a reoccurrence in the future.

Cavet : Advice only works for new sessions

If you are already locking out then you will need to trace all the lockouts via the Event ID 4740 to ensure you have properly logged off all the servers you have used and where you account is disconnected.

Previous Post Next Post

نموذج الاتصال