If a minimum password age is defined, users cannot repeatedly change their passwords to get around the Enforce password history policy setting and then use their original password. This policy setting works in combination with the Enforce password historypolicy setting. Define the Minimum password age policy setting so that passwords cannot be changed until they are more than a certain number of days old.With this policy setting, if an attacker cracks a password, the attacker only has access to the network until the password expires. Define the Maximum password age policy setting so that passwords expire as often as necessary for your environment, typically, every 30 to 90 days.With this policy setting, users cannot use the same password when their password expires. Define the Enforce password history policy setting so that several previous passwords are remembered.
When creating SQL user you can set CHECK_POLICY=on which will enforce the windows password policy on the account.
You can unlock the account with the following options (use another admin account or connect via Windows Authentication): ALTER LOGIN sa WITH PASSWORD='password' UNLOCK So there are chances that an ousider has tried to bruteforce your system. sa is default administartor login available with SQL server. If policy is enabled which locks down the account after X number of failed attempts then the account is automatically locked down.This error with 'sa' account is very common. Login Login failed for user 'sa' because the account is currently locked out. Or, if there is a very large output file, you can import the information into a SQL Server database and use queries to evaluate the information.įor more information about the EventCombMT utility, see the Help files that are included with the tool.To totally unlock this section you need to Log-in You can also import the files into Microsoft Excel. When the query completes, you can view the search results in the output directory that you specified in step 2. Click the server or servers that you want to search, and then click Search. For example, to add computers one at a time, click Add Single Server. To add computers to search, right-click the Select To Search/Right Click To Add box, and then click one of the options.
To search other computers (non-domain controllers) for account lockout events, right-click the Select To Search/Right Click To Add box, and then click Remove Selected Servers From List.
In the To box, choose your end date and time, and then click OK. In the From box, choose your start date and time. In the Options menu, select Set Date Range. In the Event IDs box, type a space, and then type 12294 after the last event number. Also, in the Event IDs box, you see that event IDs 529, 644, 675, 676, and 681 are added. On the Searches menu, point to Built In Searches, and then click Account Lockouts.Īll domain controllers for the domain appear in the Select To Search/Right Click To Add box. If you do not specify an output directory, the default location is C:\Temp. On the Options menu, click Set Output Directory, select an existing folder, or click New Folder to create a new folder to save the output to, and then click OK. To search the event logs for account lockouts, follow these steps:
The EventCombMT utility is included in the Account Lockout and Management Tools download (ALTools.exe). To download the EventCombMT utility, download Account Lockout and Management Tools. Additionally, you can add event ID 12294 to search for potential attacks against the Administrator account. The Account Lockouts search is preconfigured to include event IDs 529, 644, 675, 676, and 681. Some specific search categories are built-in, such as Account Lockouts.
This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts.Īpplies to: Windows Server 2012 R2 Original KB number: 824209 More informationĮventCombMT is a multithreaded tool that you can use to search the event logs of several different computers for specific events, all from one central location.