About Kriss

Experienced Solution Architect specialising in Microsoft Enterprise Systems, Amazon Web Services and Automation with more than 14 years experience in the Information Technology industry.

Advocate for Digital Transformation, Innovation and Automation; Transforming complex business problems into innovative digital solutions on modern cloud platforms using well architected frameworks and design patterns.

Recent tags

Active Directory

Troubleshooting Active Directory Account Lockout

14 January 2016 by 393 Views
Windows 7 stuck on “Checking For Updates”
01 October 2015
ConfigMgr Some Drivers Can Not be Imported
07 April 2016
Active Directory
Troubleshooting Active Directory Account Lockout
14 January 2016 by in Active Directory

When you have an Account Lockout Policy defined in the default domain policy for the Active Directory domain, you will come across situations where accounts are repetitively locked. This article is intended to simplify the troubleshooting process.

The Account Lockout Process

It is important to understand some of the key details in the authentication and lockout process to assist in troubleshooting the problem.

  • When an active directory account performs an authentication attempt, the credentials provided are verified and authenticated by an Active Directory domain controller in the same domain. The Domain Controller selection process uses DNS to find a domain controller in the same Active Directory site as the client. This process is dependent on the configuration in Active Directory Sites and Services.
  • When an active directory account performs an authentication attempt, the credentials provided are verified and authenticated by an Active Directory domain controller in the same domain. The Domain Controller selection process uses DNS to find a domain controller in the same Active Directory site as the client. This process is dependent on the configuration in Active Directory Sites and Services.
  • If the authentication attempt fails due to invalid credentials, the authenticating Domain Controller forwards the authentication to the PDC emulator to verify the credentials against the most recent password, if this fails, the PDC responds to the DC with the authentication failure.
    Note: Password changes in a domain are replicated preferentially to the PDC emulator, meaning the PDC emulator should always have the most recent password.
  • If the authentication attempt failures exceed the limit within the specified threshold configured in the Account Lockout Policy for the domain, the account is locked by the PDC emulator.
    All account lockouts are processed by the PDC emulator.

Locating the source of the Account Lockout

The first step in the troubleshooting process is identifying the source of the authentication failures that caused the Account Lockout. The are several ways that this can be achieved, and there are several tools designed to assist with this process.

1. Check the PDC Emulator

We know from the Account Lockout Process that the PDC emulator is responsible for processing the account lockout. It therefore makes logical sense that this should be the first DC that you check in the troubleshooting process.

Note
If you are running Windows Server 2008 R2 or later, you should enable User Account Management auditing in the Advanced Audit Policy Configuration to enable audit events that assist with this process.
For more information about Advanced Audit Policy Configuration click here

The account lockout event is written to the windows security event log, you should filter for eventID 4740. Review the events to locate the affected account, the event details will contain the caller computer details where the account lockout occurred.

Image module

An alternative and faster method to filtering the windows security event log is to use Windows PowerShell to search the event log. Open an elevated PowerShell console and enter the following code:

Get-EventLog -LogName Security | ?{$_.message -like "*locked*USERNAME*"} | fl -property *

Replace ‘USERNAME’ with the locked account name, use CTRL+C to stop the command once you receive the details you’re looking for. The output will look similar to:

Image module
2. Use Account Lockout Status tool

While the PDC emulator is the preferable Domain Controller to retrieve lockout information because it is responsible for processing lockouts, the PDC emulator role processes a lot of additional events for the entire domain, including authentication failures, password changes and account lockouts. Because of this, in large environments the windows security event log on the PDC emulator will grow rapidly and depending on the size limit of the event log you may find that the log only holds the last few hours of events.

The Account Lockout Status tool is a combination command-line and graphical tool that displays lockout information about a particular user account. It collects information from every contactable domain controller in the target user account’s domain.

You can download the Account Lockout Status tool here

  • Run the msi installer to install the tool. Unfortunately it doesn’t register a start menu shortcut, so you’ll need to browse to the installation directory (C:\Program Files (x86)\Windows Resource Kits\Tools)
  • Run LockoutStatus.exe to launch the tool
  • Click File > Select Target… to find the details for the locked account
  • Review the details, the domain controller with the highest bad password count is the most likely to have been the authenticating DC at the time of lockout
  • Connect to the domain controller and review the windows security event log, filter for event ID 4740 on Windows Server 2008 and above and event ID 644 for Windows Server 2000 and 2003. Alternatively you can use the Windows PowerShell command provided earlier in this article
  • The event details will contain the Caller Machine Name which is the originating client of the failed authentication attempt

Identify the cause of the account lockout

Now that you’ve identified the source of the account lockout, you need to identify the cause. There are numerous possible causes of authentication failures where an accounts credentials will have been either cached or saved.

Common causes for Account Lockouts
  • Stale Sessions: a user may be logged on to more than one computer, those other logons may be using old credentials that are cached and being used by some applications.
  • Applications: numerous applications either cache the users credentials or have credentials explicitly defined in their configuration.
  • Windows Services: Windows services by default are configured to start using the local system account, however, windows services can be configured to use a specific account, typically referred to as service accounts.
  • Scheduled Tasks: the windows task scheduler requires credentials for any task that is configured to run whether or not a user is logged on to the computer, specific tasks may be configured to use domain credentials.
  • Persistent drive mapping: drive mappings can be configured to use alternate credentials to connect to a shared resource.
  • Stored usernames and passwords: windows can store username and passwords for remote resources, these credentials can be viewed in the credential manager control panel applet.
  • Mobile Devices: mobile devices can have stored credentials for accessing remote resources such as email.

For the majority of situations after identifying the source of the account lockout, identifying and resolving the actually cause is a simple process of elimination.

Useful tools

There are a number of tools that can be used to assist in troubleshooting account lockouts, especially in circumstances where the cause can’t easily be identified.

  • Account Lockout Status: The Account Lockout Status tool is a combination command-line and graphical tool that displays lockout information about a particular user account. It collects information from every contactable domain controller in the target user account’s domain.
  • Account Lockout and Management Tools: ALTools.exe contains tools that assist you in managing accounts and in troubleshooting account lockouts.
  • Process Monitor: Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.
  • Microsoft Message Analyzer: Message Analyzer enables you to capture, display, and analyze protocol messaging traffic; and to trace and assess system events and other messages from Windows components.
Comments
Share
Kriss Milne

Related posts
ConfigMgr Some Drivers Can Not be Imported
ConfigMgr Some Drivers Can Not be Imported
7 April 2016 by in ConfigMgr
Troubleshooting Active Directory Account Lockout
Troubleshooting Active Directory Account Lockout
14 January 2016 by in Active Directory
Windows 7 stuck on “Checking For Updates”
Windows 7 stuck on “Checking For Updates”
1 October 2015 by in Windows 7
Mounted folders disappear in shared folders
Mounted folders disappear in shared folders
29 September 2015 by in Server 2008
There are 6 comments on this post
  1. Billy
    May 24, 2018, 8:26 pm

    Account lockout tools does not work on Windows 10 (altools) 🙁

  2. Troubleshooting Active Directory Account Lockout | Yogesh
    May 14, 2018, 11:30 pm

    […] https://oldblog.krissmilne.tech/active-directory/troubleshooting-account-lockout […]

  3. Marc
    May 13, 2018, 11:00 am

    Thanks Kriss, between this article and the script to find lockout sources it has helped alot.

  4. AD Compte verouillé – Ressources informatiques
    December 15, 2017, 8:36 pm

    […] https://oldblog.krissmilne.tech/active-directory/troubleshooting-account-lockout […]

  5. Gagan Taneja
    July 05, 2017, 11:37 am

    Hi , My name is Gagan Taneja . I am not able to find source of locakout through lockoutstatus tool and tell me where I have to start netlogon audit . Last time I run it on impacted DC but nothing is coming .

    I can not install third party tool in my environment . Do I need to run on PDC ?

    or tell me other way for finding the source of lockout .

  6. Kevin
    October 05, 2016, 3:09 pm

    Thanks Kriss, this saved my bacon

logo