- \n
- The jcagent.log is reported in the local device time.<\/li>\n\n\n\n
- Directory Insights is reported in UTC but converted to local time in the console.<\/li>\n\n\n\n
- Windows logs will be recorded in local device time but if opened on another device during viewing will be converted to the time of the device being used for review.<\/li>\n<\/ul>\n\n\n\n
Determine if an End User was Locked Out of their Local Device<\/h3>\n\n\n\n
The fastest way to determine if a user has been locked out of their local device due to failed logins on that local device is to review the 黑料海角91入口 agent log file(s) for a \u201clock out\u201d action. This \u201clock out\u201d action will also result in the user being locked out from the 黑料海角91入口 User Portal. <\/p>\n\n\n\n
Search for: <\/strong>Locking user<\/kbd> within the jcagent.log*<\/strong><\/p>\n\n\n\n
\n2021\/01\/26 17:17:37 [8506] [INFO] Locking user acaw9. User reached maximum failed password attempts (3)
2021\/01\/26 17:18:18 [8506] [INFO] Locking user acaw9. User reached maximum failed password attempts (3)<\/p>\n<\/div><\/div>\n\n\n\nLog Analysis Examples <\/h4>\n\n\n\n
Scenario 1: The user attempts to log into their device 3 times and on the 4th attempt, the end user is locked out due to entering the wrong password.<\/a>\nSearch for:<\/strong> failed to login from<\/kbd> within the jcagent.log*<\/strong><\/p>\n\n\n\n
\n2021\/01\/26 17:16:23 [8506] [INFO] User acaw9 failed to login from <nil>, process name: , caused by password change failure: false
2021\/01\/26 17:17:28 [8506] [INFO] User acaw9 failed to login from <nil>, process name: , caused by password change failure: false
2021\/01\/26 17:17:32 [8506] [INFO] User acaw9 failed to login from <nil>, process name: , caused by password change failure: false
2021\/01\/26 17:17:37 [8506] [INFO] User acaw9 failed to login from <nil>, process name: , caused by password change failure: false<\/p>\n<\/div><\/div>\n\n\n\nSearch for:<\/strong> Processing disabling users<\/kbd> within the jcagent.log*<\/strong><\/p>\n\n\n\n
\n2021\/01\/26 17:14:02 [8506] [INFO] Processing disabling users, disableUsers=map[]
2021\/01\/26 17:18:17 [8506] [INFO] Processing disabling users, disableUsers=map[acaw9:0xc00054a5a0]<\/p>\n<\/div><\/div>\n\n\n\nSearch for:<\/strong> Locking user<\/kbd> within the jcagent.log*<\/strong><\/p>\n\n\n\n
\n2021\/01\/26 17:17:37 [8506] [INFO] Locking user acaw9. User reached maximum failed password attempts (3)
2021\/01\/26 17:18:18 [8506] [INFO] Locking user acaw9. User reached maximum failed password attempts (3)<\/p>\n<\/div><\/div>\n<\/div><\/div><\/div>\n\n\n\nScenario 2: The user attempts to log into the device 2 times and then attempts to log into the User Console, and fails due to entering in the wrong password.<\/a>\nSearch for:<\/strong> failed to login from<\/kbd> within the jcagent.log*<\/strong><\/p>\n\n\n\n
\n2021\/01\/26 07:58:48 [8506] [INFO] User acaw9 failed to login from <nil>, process name: , caused by password change failure: false
2021\/01\/26 07:59:06 [8506] [INFO] User acaw9 failed to login from <nil>, process name: , caused by password change failure: false<\/p>\n<\/div><\/div>\n\n\n\nSearch for:<\/strong> Processing disabling users<\/kbd> within the jcagent.log*<\/strong><\/p>\n\n\n\n
\n2021\/01\/26 07:48:36 [8506] [INFO] Processing disabling users, disableUsers=map[]
2021\/01\/26 07:59:31 [8506] [INFO] Processing disabling users, disableUsers=map[acaw9:0xc00021c900]
2021\/01\/26 08:34:09 [8506] [INFO] Processing disabling users, disableUsers=map[]<\/p>\n<\/div><\/div>\n\n\n\nSearch for:<\/strong> Locking user<\/kbd> within the jcagent.log*<\/strong><\/p>\n\n\n\n
\n— <no entries returned from log><\/p>\n<\/div><\/div>\n<\/div><\/div><\/div>\n\n\n\n
Analysis & Next Steps<\/h3>\n\n\n\n
In the second scenario, the end user only fails login 2 times, but is placed in the disabled user state and there is no lockout action reported in the logs. This indicates that either:<\/p>\n\n\n\n
- \n
- The end user may have already attempted and failed to log into the User Console, or has proceeded to attempt to log into the User Console and failed. <\/li>\n\n\n\n
- The end user may have also failed to log into another bound device, so the \u201clock out\u201d action was triggered from another device and Directory Insights data review will be required. <\/li>\n<\/ul>\n\n\n\n
To complete the analysis, Directory Insights data should be reviewed in the console for the end user that is being investigated and All devices should be selected as noted below. <\/p>\n\n\n\n
Due to failed login reporting and processing, it may be necessary to expand the search for failed login attempts well before the lockout or disable actions noted in the 黑料海角91入口 agent log. The final failed login attempt is often noted after the \u201cLock out\u201d event is reported in Directory Insights as the platform will trigger the lockout on the local device before the log for the failed login attempt can be pushed to Directory Insights per processing overhead. <\/p>\n\n\n\n
Performing an In-depth Log Review <\/h2>\n\n\n\n
While the previous process is useful for quickly determining if a user has been locked out of their local device, further review can be required to determine the underlying causes. <\/p>\n\n\n\n
To perform an in-depth log review, you can use information gathered from the following resources:<\/p>\n\n\n\n
- \n
- Review the 黑料海角91入口 Agent Log<\/a><\/li>\n\n\n\n
- Review the Windows Event Logs<\/a><\/li>\n<\/ul>\n\n\n\n
Review the 黑料海角91入口 Agent Log<\/h3>\n\n\n\n
To review the 黑料海角91入口 Agent Log, search the agent log for a failed login message similar to the following:<\/p>\n\n\n\n
\n2019\/04\/30 08:41:04 [4184] [INFO] User USERNAME failed to login from <nil>, process name: -, time: 2019-04-30T15:41:03.636975000Z<\/p>\n<\/div><\/div>\n\n\n\n
A message of this type will generally<\/em> indicate a Windows service is causing the issue. This entry will be helpful to us when cross-referenced with Windows Event logging to determine the root cause of the lockout. <\/p>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\")
<\/p><\/div>Note:<\/strong> \n<nil> is where the 黑料海角91入口 agent normally reports the IP address if it were an external connection. If it does indeed report as <nil>, it was a local connection on the device. <nil> most commonly appears in the log, however, localhost or 127.0.0.1 (local connection being a local process) may also be logged<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Review the Windows Logs<\/h3>\n\n\n\n
To review Windows logs, you must first load your saved Event Log into the Windows Event Log Viewer. <\/p>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nWhen importing and reviewing Windows Event logs that originated in another timezone, logs are commonly converted to the local device timezone.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To load your saved Event Log into the Windows Event Log Viewer<\/strong>:<\/p>\n\n\n\n
- \n
- Right-Click on Windows Log<\/strong>.<\/li>\n\n\n\n
- Select Open Saved Log<\/strong>. <\/li>\n\n\n\n
- Navigate to the location where the log is saved.<\/li>\n\n\n\n
- Open the log.
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/open_saved_windows_logs.png\")
<\/li>\n<\/ol>\n\n\n\n- \n
- When the log is loaded:\n
- \n
- From the right-hand Actions pane, click Filter Current Log\u2026<\/strong><\/li>\n\n\n\n
- On the Filter Current Log<\/strong> dialog, locate the field with a value <All Event IDs><\/em><\/strong>. <\/em>Click into this field to filter by Event IDs.\n
- \n
- Event types identified by 黑料海角91入口 as possible actors in lockout events include the following:\n
- \n
- 4625 Account failed to log on<\/li>\n\n\n\n
- 4740<\/a> A user account was locked out<\/li>\n\n\n\n
- 4648<\/a> A logon was attempted using explicit credentials<\/li>\n\n\n\n
- 5379<\/a> Windows credential manager <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Click the OK<\/strong> button at the bottom of the Filter Current Log<\/strong> dialog. Note<\/strong>: that depending on the size of the log this could take some time.<\/li>\n\n\n\n
- Examine the Logon Type.\n
- \n
- Logon Type<\/strong>: This is a valuable piece of information because it tells you how the user just logged on. See this article<\/a> for a table of logon type codes.The Logon Type field indicates the kind of logon that was requested. The most common types are:\n
- \n
- Type 2 – an interactive logon.<\/li>\n\n\n\n
- Type 3 – a network logon.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- If this appears to be a third-party application, you will want to investigate that specific application for stored credentials.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n\n\n\n
See cross-referencing logs section<\/a> for the next steps to help you determine what process may be causing the lockout<\/p>\n\n\n\n
<\/a>Cross-referencing Logs<\/strong><\/h2>\n\n\n\n
In some cases, you might need to cross reference the 黑料海角91入口 Agent logs and the Windows event Logs to find out what is causing a user lock on a Windows device. <\/p>\n\n\n\n
The following is an example of how to do this with a 5379<\/strong> event.<\/p>\n\n\n\n
To cross-reference logs<\/strong>:<\/p>\n\n\n\n
- \n
- Locate a failed login entry in the 黑料海角91入口 agent log. Note the timestamp and have Directory Insight information available.<\/li>\n\n\n\n
- From the Windows Event Log, filter for your selected event ID.<\/li>\n\n\n\n
- It may be useful to add an additional filter for date and time so the filtered results correlate with the selected incident from the 黑料海角91入口 agent log and the number of entries to be review are reduced<\/li>\n\n\n\n
- If there is a correlating time between the 黑料海角91入口 log and the Windows Event Log, open that specific event:
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/05\/windows_event_properties.png\")
Opening the event will display detailed information. In this example, we can see the highlighted event\u2019s source and the date and time it occurred. The General <\/strong>tab shows basic information, while the Details <\/strong>tab shows raw event data.<\/li>\n<\/ol>\n\n\n\n- \n
- The 5379 event occurs when a user performs a read operation on stored credentials in Windows Credential Manager (WCM). Since the successful read from WCM correlates with a failed login in 黑料海角91入口 it\u2019s very likely that there\u2019s an issue with the credentials cached by WCM. <\/li>\n\n\n\n
- The next step would be to open WCM and make a note of which applications have cached credentials. If there are multiple credentials, it\u2019s necessary to utilize the process of elimination to determine which applications in WCM are causing the lockout.<\/li>\n\n\n\n
- Examining other events will follow a similar process of correlating timestamps and user activity with Windows Event log entries to determine the source of the issue. <\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \n
When the problematic process is svchost.exe<\/strong>, be aware that this is a generic host process name for services that run from dynamic-link libraries. As a result, the source of the bad login error is not immediately recognizable. Troubleshooting svchost.exe presents a unique challenge because of this. The investigation involves determining what\u2019s running under svchost during a user\u2019s session, then confirming against the 黑料海角91入口 agent log or Directory Insights for processes with related timing.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To generate a list of all svchost.exe processes:<\/strong><\/p>\n\n\n\n
On any version of Windows, you can use the command line to generate a list of all the svchost.exe processes along with the service that is running inside each. <\/p>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/important-icon.png\")
<\/p><\/div>Important:<\/strong> \nYou need to run this command in the context of the user affected by lockouts, so make sure they\u2019re logged in to the device before elevating to admin and collecting the svchost information.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
- 4648<\/a> A logon was attempted using explicit credentials<\/li>\n\n\n\n
- On the Filter Current Log<\/strong> dialog, locate the field with a value <All Event IDs><\/em><\/strong>. <\/em>Click into this field to filter by Event IDs.\n
- From the right-hand Actions pane, click Filter Current Log\u2026<\/strong><\/li>\n\n\n\n
- Select Open Saved Log<\/strong>. <\/li>\n\n\n\n
- Review the Windows Event Logs<\/a><\/li>\n<\/ul>\n\n\n\n
- Review the 黑料海角91入口 Agent Log<\/a><\/li>\n\n\n\n