When you have an Account Lockout Policy defined in the default domain policy for the Active Directory domain, you will come across situations where accounts are repetitively locked. This article is intended to simplify the troubleshooting process.
The Account Lockout Process
It is important to understand some of the key details in the authentication and lockout process to assist in troubleshooting the problem.
Locating the source of the Account Lockout
The first step in the troubleshooting process is identifying the source of the authentication failures that caused the Account Lockout. The are several ways that this can be achieved, and there are several tools designed to assist with this process.
1. Check the PDC Emulator
We know from the Account Lockout Process that the PDC emulator is responsible for processing the account lockout. It therefore makes logical sense that this should be the first DC that you check in the troubleshooting process.
For more information about Advanced Audit Policy Configuration click here
The account lockout event is written to the windows security event log, you should filter for eventID 4740. Review the events to locate the affected account, the event details will contain the caller computer details where the account lockout occurred.
An alternative and faster method to filtering the windows security event log is to use Windows PowerShell to search the event log. Open an elevated PowerShell console and enter the following code:
Get-EventLog -LogName Security | ?{$_.message -like "*locked*USERNAME*"} | fl -property *
Replace ‘USERNAME’ with the locked account name, use CTRL+C to stop the command once you receive the details you’re looking for. The output will look similar to:
2. Use Account Lockout Status tool
While the PDC emulator is the preferable Domain Controller to retrieve lockout information because it is responsible for processing lockouts, the PDC emulator role processes a lot of additional events for the entire domain, including authentication failures, password changes and account lockouts. Because of this, in large environments the windows security event log on the PDC emulator will grow rapidly and depending on the size limit of the event log you may find that the log only holds the last few hours of events.
The Account Lockout Status tool is a combination command-line and graphical tool that displays lockout information about a particular user account. It collects information from every contactable domain controller in the target user account’s domain.
You can download the Account Lockout Status tool here
Identify the cause of the account lockout
Now that you’ve identified the source of the account lockout, you need to identify the cause. There are numerous possible causes of authentication failures where an accounts credentials will have been either cached or saved.
Common causes for Account Lockouts
For the majority of situations after identifying the source of the account lockout, identifying and resolving the actually cause is a simple process of elimination.
Useful tools
There are a number of tools that can be used to assist in troubleshooting account lockouts, especially in circumstances where the cause can’t easily be identified.
Account lockout tools does not work on Windows 10 (altools) 🙁
[…] https://oldblog.krissmilne.tech/active-directory/troubleshooting-account-lockout […]
Thanks Kriss, between this article and the script to find lockout sources it has helped alot.
[…] https://oldblog.krissmilne.tech/active-directory/troubleshooting-account-lockout […]
Hi , My name is Gagan Taneja . I am not able to find source of locakout through lockoutstatus tool and tell me where I have to start netlogon audit . Last time I run it on impacted DC but nothing is coming .
I can not install third party tool in my environment . Do I need to run on PDC ?
or tell me other way for finding the source of lockout .
Thanks Kriss, this saved my bacon