Joe13 Posted February 7, 2023 Report post Posted February 7, 2023 (edited) Hi all, I need some help with figuring out why AD accounts are getting locked out. I did some extensive googling but cannot trace it. Hybrid environment with AAD. On-prem OWA disabled to the outside. All email accounts in O365. I traced it this way On my DC’s, lockout source is exchange server. On my exchange server Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe I cannot find any source in the iis log files. If I disable the MSExchangeFrontendTransport.exe service the accounts don’t lock out. I’m pulling my hair out with this, what else can I do to properly trace and find out what the cause is? AD acc lockout.txt Exchange acc lockout.txt Edited February 7, 2023 by Joe13 Added log files Quote Share this post Link to post Share on other sites More sharing options...
0 anyweb Posted February 7, 2023 Report post Posted February 7, 2023 have you looked at all services running on that server to see if any are using one or more of the accounts that are getting locked out ? Quote Share this post Link to post Share on other sites More sharing options...
0 Joe13 Posted February 8, 2023 Report post Posted February 8, 2023 8 hours ago, anyweb said: have you looked at all services running on that server to see if any are using one or more of the accounts that are getting locked out ? Yes sir, all services run with local system. The accounts being locked out are domain users. Quote Share this post Link to post Share on other sites More sharing options...
0 Explorerdk Posted March 9, 2023 Report post Posted March 9, 2023 Hi Joe13, I am actually having a similarly problem and found out it was outside malicious SMTP login attempt (which is handled by FrontEndTransport.exe) and found these info with in "ProtocolLog\SmtpReceive" logs, this thread - https://www.reddit.com/r/exchangeserver/comments/10yzv8q/msexchangefrontendtransportexe_locking_ad_account/ - gave me a great info to find the info. Quote from article thread: " port25 · 26 days ago "All users lie" -House M.D. It is probably a receive connector if it's FrontEndTransport Do you have diagnostic logging turned up on your receive connectors? IIS Logs should write within 20 minutes or so, but FE is not IIS. If you don't see log activity it's because it's not in use. Use Get-FrontEndTransportService to find your log location. Should be something like this: C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive I'm a fucking moron don't listen to me. " I kept the whole quote of that answer, but it really assisted me, so I do not believe in step 6 /Steven Quote Share this post Link to post Share on other sites More sharing options...
Hi all,
I need some help with figuring out why AD accounts are getting locked out. I did some extensive googling but cannot trace it.
Hybrid environment with AAD. On-prem OWA disabled to the outside.
All email accounts in O365.
I traced it this way
On my DC’s, lockout source is exchange server.
On my exchange server
Caller Process Name: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MSExchangeFrontendTransport.exe
I cannot find any source in the iis log files.
If I disable the MSExchangeFrontendTransport.exe service the accounts don’t lock out.
I’m pulling my hair out with this, what else can I do to properly trace and find out what the cause is?
AD acc lockout.txt Exchange acc lockout.txt
Edited by Joe13Added log files
Share this post
Link to post
Share on other sites