Hi, I am using Exchange 2003 on Windows 2003 server. One of my user AD account got locked out and IT guys checked on DC and told the source for this was OWA. This user is using three devices to access emails Laptop, IPhone and Tablet PC. Now they want me to find which device and IP did this. Is there any way to check all that information? I have checked the Security events but did not found any error. Also let me know if any debuggeing needs to be ON to check it in future and how to do it?

If it was OWA, check the IIS logs when the user was attempting to access the mailbox.

If it was OWA, check the IIS logs when the user was attempting to access the mailbox.

On Wed, 22 Aug 2012 18:46:14 +0000, 12341981 wrote: > > >Hi, I am using Exchange 2003 on Windows 2003 server. One of my user AD account got locked out and IT guys checked on DC and told the source for this was OWA. This user is using three devices to access emails Laptop, IPhone and Tablet PC. How'd they know it was OWA? Just because the machine has the OWA URL on it? What about ActiveSync? >Now they want me to find which device and IP did this. Is there any way to check all that information? I have checked the Security events but did not found any error. Also let me know if any debuggeing needs to be ON to check it in future and how to do it? Mobile devices. Geeze. Have you checked to see when the most recent sync was for each device? If one of them stopped syncing recently then it's probably the source of the problem (probably related to a recent password change). Using an "old" password won't casue a lockout unless the "old" password being used is the "Previous+2" password. Current password Previous password Previous+1 password Previous+2 password <== This is the problem This is usually found to be some old device that's still charged and trying to use ActiveSync but hasn't had its password changed in a while. The alternative is someone's trying to log in using a password that's not the "Current", "Previous", or "Previous+1" password. You should be able to find the failures in the IIS log files. I'd ask him to power off the mobile devices and see if the lockouts stop. iPhones and iPads are a PITA. They don't stop trying to login if they fail, they just keep banging away! --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

On Wed, 22 Aug 2012 18:46:14 +0000, 12341981 wrote: > > >Hi, I am using Exchange 2003 on Windows 2003 server. One of my user AD account got locked out and IT guys checked on DC and told the source for this was OWA. This user is using three devices to access emails Laptop, IPhone and Tablet PC. How'd they know it was OWA? Just because the machine has the OWA URL on it? What about ActiveSync? >Now they want me to find which device and IP did this. Is there any way to check all that information? I have checked the Security events but did not found any error. Also let me know if any debuggeing needs to be ON to check it in future and how to do it? Mobile devices. Geeze. Have you checked to see when the most recent sync was for each device? If one of them stopped syncing recently then it's probably the source of the problem (probably related to a recent password change). Using an "old" password won't casue a lockout unless the "old" password being used is the "Previous+2" password. Current password Previous password Previous+1 password Previous+2 password <== This is the problem This is usually found to be some old device that's still charged and trying to use ActiveSync but hasn't had its password changed in a while. The alternative is someone's trying to log in using a password that's not the "Current", "Previous", or "Previous+1" password. You should be able to find the failures in the IIS log files. I'd ask him to power off the mobile devices and see if the lockouts stop. iPhones and iPads are a PITA. They don't stop trying to login if they fail, they just keep banging away! --- Rich Matheisen MCSE+I, Exchange MVP --- Rich Matheisen MCSE+I, Exchange MVP

AD is right, let your admin check IIS log and the application event log to see what error is recorded. Besides, when you got locked out, is there any error message or symptom? thanks. Fiona Liao TechNet Community Support

AD is right, let your admin check IIS log and the application event log to see what error is recorded. Besides, when you got locked out, is there any error message or symptom? thanks. Fiona Liao TechNet Community Support