How to trace and diagnose account lockout in AD?

Get it Done with ADAudit Plus
With Native AD Auditing
With ADAudit Plus

Native auditing

In this section, you'll learn how you can find out the source of an account lockout using the Event Viewer. Before getting started, make sure that your audit policies are set to audit logon events. To do this:

  • Step 1: Go to the Group Policy management console →  Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
  • Step 2: Enable Audit account logon events and Audit logon events. Turn on auditing for both successful and failed events.
  • Step 3: Now, go to the Event Viewer and search the logs for Event ID 4740.. The log details of the user account's lockout will show the caller computer name.
  • Step 4: Go to this caller computer, and search the logs for the source of this lockout. 
  • Step 5: Search the logs for the events that happened around the time when the user was locked out.
  • Step 6: Check the user's recent logon history, login attempts, services, and applications using the user account's credentials, scheduled tasks, mapped drives, etc.
  • Step 7: If any of the above are using a stale password, update the user's password, and force replication. 

How to find out what is locking out an Active Directory account with ADAudit Plus

Finding the source of an account lockout can be done with a single click using ADAudit Plus. The who, when, where, and why of every lockout instance is detailed. Instant alerts can be sent to an admin's email or phone when any privileged user gets locked out or if the volume of lockout is too high.

These reports provide the:

  • Name of the user that got locked out
  • Domain controller and caller computer the user got locked out from
  • Time of lockout
  • Previous login attempts of the user
  • Details of services, mapped drives, and applications using the user account's credentials

Get instant alerts when a privileged user is locked out, or if the volume of lockouts is too high. These alerts can also be sent straight to the admin's or technician's email or mobile device via SMS from ADAudit Plus. With this AD lockout tool, you can find and resolve account lockouts in less than a few minutes.

Native auditing becoming a little too much?

Simplify file server auditing and reporting with ADAudit Plus.

Download for Free