Find what's locking out an AD account using native auditing

Steps to enable auditing using the GPMC

Perform the following actions on the domain controller (DC):

1. Open the Start menu. Search for and open the Group Policy Management Console (GPMC). You can also run the command gpmc.msc.

2. Right-click the domain or organizational unit (OU) where you want to audit account lockouts, and click Create a GPO in this domain, and Link it here.

Note: If you have already created a GPO, click Link an Existing GPO.

3. Name the GPO.
4. Right-click the GPO and choose Edit.

5. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management.

6. In the right pane, you will see the list of policies under Account Management. Double-click Audit User Account Management and check the boxes labeled Configure the following audit events, Success, and Failure.

7. Click Apply and then OK.
8. Go back to the Group Policy Management Console. In the left pane, right-click the domain or OU that the GPO was linked to and click Group Policy Update. This step makes sure the new Group Policy settings are applied instantly instead of waiting for the next scheduled refresh.

Steps to view the logged events in the Event Viewer

Once the above steps are complete, events will be logged in the event log. These can be viewed in the Event Viewer by following the steps below:

1. Open the Start menu, search for Event Viewer, and click to open it.
2. In the left pane of the Event Viewer window, navigate to Windows Logs > Security. Here, you will find a list of all the security events that are logged in the system.

3. In the right pane under Security, click Filter Current Log.

4. In the pop-up window, enter 4740 in the field labeled <All Event IDs>.
5. Click OK. This will provide a list of occurrences of the Event ID you entered.
6. Double-click the Event ID to view its properties (description).

In the event description, the Caller Computer Name is shown.

To perform a more detailed analysis of the cause of this lockout, carry out the following actions on the DC:

1. In the Event Viewer, filter the current view to look for the Event ID 4625, which is logged when there is a failed logon.

2. On the right pane of the Event Viewer window, click Find, enter the name of the user that was locked out, and click Find Next.

3. Look for an event that was logged after the account lockout time and view its properties.

4. Scroll down to Caller Process Name. This will show you the location of the process that possibly caused the lockout.

In the above case, the account lockout was called by the process java.exe.

This process requires a lot of effort even for just one end user. To perform this analysis on a large number of end users would be time-consuming, impractical, and ineffective.

With ADAudit Plus, you can perform a thorough analysis of all possible sources of the lockout in just a click using the built-in Account Lockout Analyzer.