How to find the source of an Active directory account lockout?
- Login to the domain controller with administrative privileges.
- Open the Group policy editor (Run → gpedit.msc) on a local computer (on which you want to track the lock source) and enable the following policies in Computer Configurations → Windows Settings → Security Settings → Local Policies → Audit Policy:
- Audit process tracking: Success / Failure
- Audit logon events: Success / Failure
- Open event viewer and search Security log for event ID 4625.
In this case, the source of the account lockout is a process mssdmn.exe (Sharepoint component).The user needs to update password on the Sharepoint web portal.
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools