HOW TO: Trace Account lockouts originating from an Active Roles host server (4336875)

Active Directory account lockouts which are originating from an Active Roles server could possibly be linked to hard-coded credentials which need to be updated.

Within an Active Roles configuration, there are only a limited number of places where a credential may be stored:

1. On a Managed Domain
2. On a Mail Configuration
3. Within a custom script module
4. On the Azure Configuration (in a Federated Tenant)
5. In Active Roles 7.4 and above, in the O365 script execution configuration Automation Workflow activity

WORKAROUND

If stopping Active Roles services stops the lockouts, it is related to a configuration within Active Roles. Otherwise, it may be a Windows Scheduled Task and/or an external script.

1. On a Managed Domain 

In the Active Roles Console, navigate to Configuration/Server Configuration/Managed Domains and check the General properties tab of each managed domain.

2. On a Mail Configuration

In the Active Roles Console, navigate to Configuration and click on the Server Configuration container, then open the Mail Configuration container. Check the Mail Setup tab on the properties of each mail configuration.

3. Within a custom script module

In the Active Roles Console, check on the Active Roles root and then select Diagnostics in the centre pane, then click on View or change diagnostic settings. On the Diagnostics tab, click the button to Export Active Roles system summary and save the .zip file to a known location. Inside the .zip file is an XML file. Search this XML for any references to the account of interest. If found, the reference will be within a script module with a DN reference to the target script. Find and edit the necessary script using the Active Roles Console.

4. On the Azure Configuration

In the Active Roles Web Interface, navigate to Directory Services | Azure | Azure Configuration | Azure Tenants and click on the name of the tenant to confirm the Azure Service Account in use. Check the box next to the Tenant and choose the option to Update Azure Admin Password.

5. In Active Roles 7.4 and above, in the O365 script execution configuration Automation Workflow activity

Manually check all Automation Workflows and all instances of the O365 script execution configuration Automation Workflow activity.