Account Lockout

Troubleshooting Active Directory Account Lockout

When you have an Account Lockout Policy defined in the default domain policy for the Active Directory domain, you will come across situations where accounts are repetitively locked. This article is intended to simplify the troubleshooting process.

The Account Lockout Process

It is important to understand some of the key details in the authentication and lockout process to assist in troubleshooting the problem.

  • When an active directory account performs an authentication attempt, the credentials provided are verified and authenticated by an Active Directory domain controller in the same domain. The Domain Controller selection process uses DNS to find a domain controller in the same Active Directory site as the client. This process is dependent on the configuration in Active Directory Sites and Services.
  • If the authentication attempt fails due to invalid credentials, the authenticating Domain Controller forwards the authentication to the PDC emulator to verify the credentials against the most recent password, if this fails, the PDC responds to the DC with the authentication failure.
  • Note: Password changes in a domain are replicated preferentially to the PDC emulator, meaning the PDC emulator should always have the most recent password.

  • If the authentication attempt failures exceed the limit within the specified threshold configured in the Account Lockout Policy for the domain, the account is locked by the PDC emulator.
    All account lockouts are processed by the PDC emulator.

Locating the source of the Account Lockout

The first step in the troubleshooting process is identifying the source of the authentication failures that caused the Account Lockout. The are several ways that this can be achieved, and there are several tools designed to assist with this process.

1. Check the PDC Emulator

We know from the Account Lockout Process that the PDC emulator is responsible for processing the account lockout. It therefore makes logical sense that this should be the first DC that you check in the troubleshooting process.

If you are running Windows Server 2008 R2 or later, you should enable User Account Management auditing in the Advanced Audit Policy Configuration to enable audit events that assist with this process.

For more information about Advanced Audit Policy Configuration click here

The account lockout event is written to the windows security event log, you should filter for eventID 4740. Review the events to locate the affected account, the event details will contain the caller computer details where the account lockout occurred.

Windows Event 4740

An alternative and faster method to filtering the windows security event log is to use Windows PowerShell to search the event log. Open an elevated PowerShell console and enter the following code:

Get-EventLog -LogName Security | ?{$_.message -like "*locked*USERNAME*"} | fl -property *

Replace ‘USERNAME’ with the locked account name, use CTRL+C to stop the command once you receive the details you’re looking for.

The output will look similar to:
PowerShell Event 4740

2. Use Account Lockout Status tool

While the PDC emulator is the preferable Domain Controller to retrieve lockout information because it is responsible for processing lockouts, the PDC emulator role processes a lot of additional events for the entire domain, including authentication failures, password changes and account lockouts. Because of this, in large environments the windows security event log on the PDC emulator will grow rapidly and depending on the size limit of the event log you may find that the log only holds the last few hours of events.

The Account Lockout Status tool is a combination command-line and graphical tool that displays lockout information about a particular user account. It collects information from every contactable domain controller in the target user account’s domain.

You can download the Account Lockout Status tool here

  1. Run the msi installer to install the tool. Unfortunately it doesn’t register a start menu shortcut, so you’ll need to browse to the installation directory (C:\Program Files (x86)\Windows Resource Kits\Tools)
  2. Run LockoutStatus.exe to launch the tool
  3. Click File > Select Target… to find the details for the locked account
    LockoutStatus_Target
  4. Review the details, the domain controller with the highest bad password count is the most likely to have been the authenticating DC at the time of lockout.
    LockoutStatus_Details
  5. Connect to the domain controller and review the windows security event log, filter for event ID 4740 on Windows Server 2008 and above and event ID 644 for Windows Server 2000 and 2003. Alternatively you can use the Windows PowerShell command provided earlier in this article.
  6. The event details will contain the Caller Machine Name which is the originating client of the failed authentication attempt.

Identify the cause of the account lockout

Now that you’ve identified the source of the account lockout, you need to identify the cause. There are numerous possible causes of authentication failures where an accounts credentials will have been either cached or saved.

Common causes for Account Lockouts

  • Stale Sessions: a user may be logged on to more than one computer, those other logons may be using old credentials that are cached and being used by some applications.
  • Applications: numerous applications either cache the users credentials or have credentials explicitly defined in their configuration.
  • Windows Services: Windows services by default are configured to start using the local system account, however, windows services can be configured to use a specific account, typically referred to as service accounts.
  • Scheduled Tasks: the windows task scheduler requires credentials for any task that is configured to run whether or not a user is logged on to the computer, specific tasks may be configured to use domain credentials.
  • Persistent drive mapping: drive mappings can be configured to use alternate credentials to connect to a shared resource.
  • Stored usernames and passwords: windows can store username and passwords for remote resources, these credentials can be viewed in the credential manager control panel applet.
  • Mobile Devices: mobile devices can have stored credentials for accessing remote resources such as email.

For the majority of situations after identifying the source of the account lockout, identifying and resolving the actually cause is a simple process of elimination.

Useful tools

There are a number of tools that can be used to assist in troubleshooting account lockouts, especially in circumstances where the cause can’t easily be identified.

  • Account Lockout Status: The Account Lockout Status tool is a combination command-line and graphical tool that displays lockout information about a particular user account. It collects information from every contactable domain controller in the target user account’s domain.
  • Account Lockout and Management Tools: ALTools.exe contains tools that assist you in managing accounts and in troubleshooting account lockouts.
  • Process Monitor: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
  • Microsoft Message Analyzer: Message Analyzer enables you to capture, display, and analyze protocol messaging traffic; and to trace and assess system events and other messages from Windows components.

9 comments

Leave a Reply

Your email address will not be published. Required fields are marked *