SharePoint (2003 thru Online): June 2017

Tuesday, June 20, 2017

Account lockout with Worker Processes (w3wp.exe)

Jun  01 10:50:00 TRDC1.OU.SP.COM/11.1.9.56/111.99.228.36 MSWinEventLog,4,Security,37482936,Fri Jun 01 10:50:20 2017,4740,Microsoft-Windows-Security-Auditing,SPDEVAPP1\SPFarm,N/A,Success Audit,TRDC1.OU.SP.COM,User Account Management,,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  TRDC1$   Account Domain:  NT   Logon ID:  0x9g8    Account That Was Locked Out:   Security ID:  S-1-5-21-787380144-786785121-371256054-14454   Account Name:  SPFarm    Additional Information:   Caller Computer Name: SPDEVAPP1,37363918

We see log on the Domain Controller that SPFarm account was locked out. No clue what is going on.

Install the below Process Monitor (Microsoft Free Tool)
https://technet.microsoft.com/en-us/sysinternals/processmonitor.aspx

This tool lets you to go thru the process monitor to get more details about the Account Lockout.

Once you identify the Process Monitor log related to the Account lockout, open Windows Task Manager and add PID (Process Identifier) in the Processes tab.

C:\Windows\system32>tasklist /FI "PID eq 5580" /FI "USERNAME eq spfarm"

C:\Windows\system32>cd inetsrv


To pick the right w3wp.exe among Multiple Worker processes

C:\Windows\System32\inetsrv>appcmd list wp
WP "6064" (applicationPool:e57375f456e1238c9bcf287fe1fd6234)
WP "5284" (applicationPool:SecurityTokenServiceApplicationPool)
WP "5136" (applicationPool:dab94fcb5f6e4bc4be4f9123426cf456)
WP "7684" (applicationPool:4543drad11234cf087f51c04f1671234)
WP "5580" (applicationPool:90123851e0a1470093450b2d67b2bc73)
WP "696" (applicationPool:9fb84a123c7c4123b70eadbsd2c7adfd)


Get Worker Processes ( w3wp.exe) List : Another method

To get list of running  worker process, Open IIS Manager ( Run > Inetmgr ), Select root level from left site navigation tree and from “Features View Panel” select “Worker Processes”
1
Click on the “Worker Processes” to get details of all worker process which are currently running as shown in below.
ProcessList
The Account SPFarm was getting locked with the App Pool with PID 5580. Updated the App Pool with different account and monitored for a couple of days. Everything is fine now.