Jump to content


  • 0
Joe13

Exchange domain account lockout issue

Question

Hi all,

I need some help with figuring out why AD accounts are getting locked out. I did some extensive googling but cannot trace it.

Hybrid environment with AAD. On-prem OWA disabled to the outside.
All email accounts in O365.

I traced it this way
On my DC’s, lockout source is exchange server.

On my exchange server
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe

I cannot find any source in the iis log files.

If I disable the MSExchangeFrontendTransport.exe service the accounts don’t lock out.

I’m pulling my hair out with this, what else can I do to properly trace and find out what the cause is?

 

AD acc lockout.txt Exchange acc lockout.txt

Edited by Joe13
Added log files

Share this post


Link to post
Share on other sites

3 answers to this question

Recommended Posts

  • 0
8 hours ago, anyweb said:

have you looked at all services running on that server to see if any are using one or more of the accounts that are getting locked out ?

Yes sir, all services run with local system.

The accounts being locked out are domain users.

Share this post


Link to post
Share on other sites

  • 0

Hi Joe13,

I am actually having a similarly problem and found out it was outside malicious SMTP login attempt (which is handled by FrontEndTransport.exe) and found these info with in "ProtocolLog\SmtpReceive" logs, this thread - https://www.reddit.com/r/exchangeserver/comments/10yzv8q/msexchangefrontendtransportexe_locking_ad_account/ - gave me a great info to find the info.

Quote from article thread:

"

· 26 days ago
 
  1. "All users lie" -House M.D.

  2. It is probably a receive connector if it's FrontEndTransport

  3. Do you have diagnostic logging turned up on your receive connectors?

  4. IIS Logs should write within 20 minutes or so, but FE is not IIS. If you don't see log activity it's because it's not in use.

  5. Use Get-FrontEndTransportService to find your log location. Should be something like this: C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive

  6. I'm a fucking moron don't listen to me. :)

"

I kept the whole quote of that answer, but it really assisted me, so I do not believe in step 6 :P

 

/Steven

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.