How to use account lockout status in Active Directory

Native auditing

Microsoft provides an AD account lockout tool to check the lockout status. This tool can be downloaded here. After installing the tool, go to the folder you selected to extract the tool's files. The LockoutStatus.exe tool will help you find the source of an account lockout and resolve it.  

Before getting started, make sure that your audit policies are set to audit logon events. To do this:

• Go to the Group Policy management console →  Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
• Enable Audit account logon events and Audit logon events. Turn on auditing for both successful and failed events.

Using the account lockout and management tool:

Run the LockoutStatus.exe tool, and go to File → Select target.

Type the user's login name or sAMAccountName. 

Enter the domain name.

Click OK to see the lockout status of the user you selected. 

The following details will be displayed:

User State – Tells you if the account is locked.

Lockout Time – Time at which the account got locked out.

Org Lock – Domain Controller in which the lockout happened. 

Finding the source of the lockout:

• Go to the domain controller that the lockout status displayed.
• Open the Event Viewer, and search the logs for Event ID 4740.
• The log details of the user account's lockout event will show the caller computer name.
• Go to this caller computer, and search the logs for the source of this lockout. 
• Search the logs for the events that happened around the time when the user was locked out.
• Check the user's recent logon history, login attempts, services, and application using the user account's credentials, scheduled tasks, mapped drives, etc.
• If any of the above are using a stale password, update the user's password, and force replication.