使用 Azure Active Directory 域服务托管域对帐户锁定问题进行故障排除Troubleshoot account lockout problems with an Azure Active Directory Domain Services managed domain

为防止重复的恶意登录尝试,Azure Active Directory 域服务 (Azure AD DS) 托管域会在定义的阈值后锁定帐户。To prevent repeated malicious sign-in attempts, an Azure Active Directory Domain Services (Azure AD DS) managed domain locks accounts after a defined threshold. 在没有登录攻击事件的情况下,也可能意外发生这种帐户锁定。This account lockout can also happen by accident without a sign-in attack incident. 例如,如果用户重复输入错误的密码或服务尝试使用旧密码,则帐户将被锁定。For example, if a user repeatedly enters the wrong password or a service attempts to use an old password, the account gets locked out.

本文概述了为何会发生帐户锁定、如何配置行为,以及如何查看安全审核以对锁定事件进行故障排除。This troubleshooting article outlines why account lockouts happen and how you can configure the behavior, and how to review security audits to troubleshoot lockout events.

什么是帐户锁定?What is an account lockout?

达到为登录尝试失败定义的阈值时,会锁定 Azure AD DS 托管域中的用户帐户。A user account in an Azure AD DS managed domain is locked out when a defined threshold for unsuccessful sign-in attempts has been met. 这种帐户锁定行为旨在防止重复的暴力登录尝试(这种尝试可能指示了自动化数字攻击)。This account lockout behavior is designed to protect you from repeated brute-force sign-in attempts that may indicate an automated digital attack.

默认情况下,如果 2 分钟内有 5 次失败的密码尝试,将锁定帐户 30 分钟。By default, if there are 5 bad password attempts in 2 minutes, the account is locked out for 30 minutes.

使用细化密码策略配置默认的帐户锁定阈值。The default account lockout thresholds are configured using fine-grained password policy. 如果你有一组特定的要求,可以替代这些默认的帐户锁定阈值。If you have a specific set of requirements, you can override these default account lockout thresholds. 但是,建议不要放松阈值限制来尝试减少帐户锁定次数。However, it's not recommended to increase the threshold limits to try to reduce the number account lockouts. 首先对帐户锁定行为的来源进行故障排除。Troubleshoot the source of the account lockout behavior first.

细化密码策略Fine-grained password policy

通过细化密码策略 (FGPP),可以对域中的不同用户应用特定的密码和帐户锁定策略限制。Fine-grained password policies (FGPPs) let you apply specific restrictions for password and account lockout policies to different users in a domain. FGPP 仅影响托管域中的用户。FGPP only affects users within a managed domain. 从 Azure AD 同步到托管域的云用户和域用户仅受托管域内的密码策略影响。Cloud users and domain users synchronized into the managed domain from Azure AD are only affected by the password policies within the managed domain. 其在 Azure AD 或本地目录中的帐户不受影响。Their accounts in Azure AD or an on-premises directory aren't impacted.

通过托管域中的组关联来分发策略,并在下次用户登录时应用你的任何更改。Policies are distributed through group association in the managed domain, and any changes you make are applied at the next user sign-in. 更改策略不会解除锁定已锁定的用户帐户。Changing the policy doesn't unlock a user account that's already locked out.

有关细化密码策略的详细信息,以及直接在 Azure AD DS 中创建的用户与从 Azure AD 中同步的用户之间的差异,请参阅配置密码和帐户锁定策略For more information on fine-grained password policies, and the differences between users created directly in Azure AD DS versus synchronized in from Azure AD, see Configure password and account lockout policies.

常见帐户锁定原因Common account lockout reasons

在没有任何恶意意图或因素的情况下,锁定帐户的最常见原因包括以下情况:The most common reasons for an account to be locked out, without any malicious intent or factors, include the following scenarios:

  • 用户使自己被锁定。The user locked themselves out.
    • 最近密码更改后,用户是否继续使用以前的密码?After a recent password change, has the user continued to use a previous password? 用户无意中重试旧密码,可能会触发默认帐户锁定策略:2 分钟内有 5 次失败的尝试即会锁定帐户。The default account lockout policy of five failed attempts in 2 minutes can be caused by the user inadvertently retrying an old password.
  • 存在具有旧密码的应用程序或服务。There's an application or service that has an old password.
    • 如果应用程序或服务使用某个帐户,这些资源可能会使用旧密码重复尝试登录。If an account is used by applications or services, those resources may repeatedly try to sign in using an old password. 此行为将导致帐户被锁定。This behavior causes the account to be locked out.
    • 尝试最大程度地减少跨多个不同应用程序或服务使用同一帐户,并记录使用凭据的位置。Try to minimize account use across multiple different applications or services, and record where credentials are used. 如果更改了帐户密码,请相应地更新关联的应用程序或服务。If an account password is changed, update the associated applications or services accordingly.
  • 在其他环境中更改了密码,而新密码尚未同步。Password has been changed in a different environment and the new password hasn't synchronized yet.
    • 如果在托管域之外(如本地 AD DS 环境中)更改了帐户密码,密码更改可能需要几分钟时间才能同步到 Azure AD 和托管域。If an account password is changed outside of the managed domain, such as in an on-prem AD DS environment, it can take a few minutes for the password change to synchronize through Azure AD and into the managed domain.
    • 如果有用户在密码同步过程完成之前尝试在托管域登录到资源,其帐户将被锁定。A user that tries to sign in to a resource in the managed domain before that password synchronization process has completed causes their account to be locked out.

通过安全审核对帐户锁定进行故障排除Troubleshoot account lockouts with security audits

若要对帐户锁定事件发生的时间以及这些事件的来源进行故障排除,请为 Azure AD DS 启用安全审核To troubleshoot when account lockout events occur and where they're coming from, enable security audits for Azure AD DS. 仅从启用该功能时开始捕获审核事件。Audit events are only captured from the time you enable the feature. 理想情况下,应在有帐户锁定问题需要进行故障排除之前启用安全审核。Ideally, you should enable security audits before there's an account lockout issue to troubleshoot. 如果用户帐户重复出现锁定问题,可启用安全审核以防下次出现这种情况。If a user account repeatedly has lockout issues, you can enable security audits ready for the next time the situation occurs.

启用安全审核后,可查看以下示例查询,了解如何查看“帐户锁定事件”,代码“4740” 。Once you have enabled security audits, the following sample queries show you how to review Account Lockout Events, code 4740.

查看过去 7 天的所有帐户锁定事件:View all the account lockout events for the last seven days:

AADDomainServicesAccountManagement
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"

查看名为“driley”的帐户在过去 7 天的所有帐户锁定事件。View all the account lockout events for the last seven days for the account named driley.

AADDomainServicesAccountLogon
| where TimeGenerated >= ago(7d)
| where OperationName has "4740"
| where "driley" == tolower(extract("Logon Account:\t(.+[0-9A-Za-z])",1,tostring(ResultDescription)))

查看发生在 2020 年 6 月 26 日上午 9 点和 2020 年 7 月 1 日午夜View all the account lockout events between June 26, 2020 at 9 a.m. 期间的所有帐户锁定事件,按日期和时间升序排序:and July 1, 2020 midnight, sorted ascending by the date and time:

AADDomainServicesAccountManagement
| where TimeGenerated >= datetime(2020-06-26 09:00) and TimeGenerated <= datetime(2020-07-01)
| where OperationName has "4740"
| sort by TimeGenerated asc

后续步骤Next steps

有关细化密码策略以调整帐户锁定阈值的详细信息,请参阅配置密码和帐户锁定策略For more information on fine-grained password policies to adjust account lockout thresholds, see Configure password and account lockout policies.

如果在将 VM 加入托管域时仍有问题,请查找帮助并创建 Azure Active Directory 的支持票证If you still have problems joining your VM to the managed domain, find help and open a support ticket for Azure Active Directory.