How to find the source of an Active directory account lockout?
- Login to the domain controller with administrative privileges.
- Open the Group policy editor (Run → gpedit.msc) on a local computer (on which you want to track the lock source) and enable the following policies in Computer Configurations → Windows Settings → Security Settings → Local Policies → Audit Policy:
- Audit process tracking: Success / Failure
- Audit logon events: Success / Failure
- Open event viewer and search Security log for event ID 4625.
In this case, the source of the account lockout is a process mssdmn.exe (Sharepoint component).The user needs to update password on the Sharepoint web portal.