AD account keeps getting locked out
The first step in finding why an AD account keeps getting locked out is to find the domain controller that is doing the locking. There are a couple of simple ways to do this. One way to troubleshooting account lockouts is to use Microsoft’s Account Lockout Tools. You can download and install these tools at Microsoft’s website here. There are two main tools; LockoutStatus.exe and eventcombMT.exe. This blog post will be focused on the LockoutStatus tool.
Using LockoutStatus.exe tool
1. After you download the Lockout Tools and double-click the ALTools.exe, it will extract files to a location on your hard drive that you choose. These are stand-alone tools, it actually does not install any software on your computer.
2. Double-click LockoutStatus.exe. Select File, then type in the account in question and the domain. Press OK. You will receive a list of domain controllers and whether or not the account is locked out. The important columns are the Bad Pwd Count and the Orig Lock columns. If you see any Bad Pwd Counts on a particular DC, then you more or less identified the DC reporting the lockout. The same applies to the Orig Lock column. This states the actual name of the DC that locked out the account.
3. Now that you’ve identified the DC, you can connect to that DC, open Event Viewer and filter the Security Log for the following events. These are the event id’s that are logged when an account is locked out.
EventID 644 – Windows Server 2003
EventID 4740 – Windows Server 2008 R2
4. If you can’t not download or install Microsoft’s lockout tools, you can ask your user who is getting their account locked out to to the following:
open a command prompt
type the command echo %logonserver% – this will list the domain controller the user is logged on to. Please keep in mind that this doesn’t necessarily mean that this would be the DC that is locking the account, but it is a good start.
Searching the Event log using Event Viewer
Once you’ve used one of the two methods above to identify the DC reporting the lockout, then all that is left to do is to use the Event View snap-in to search for EventID 644 or 4740 and find out what machine is locking out the account in question.
You can select View, then filter on Eventid 644 or 4740. Open the properties of the event to view the detail. Look for the account in question and the Caller Computer Name. It is this machine name that is causing the lockout issues.
There may be times when the Caller Computer Name is blank or empty. See our post Account Lockout Caller Computer Name Blank. Happy hunting! I hope you found this helpful. If so, leave a comment. Thank you!
thanks your blog post saved us a log of time!
Thank you for your comments Christoph. I’m glad it helped.
Hello, I’m not finding these event ID’s even though I show the account in question to be locked. Is there something I need to enable in order for this to work?
Dear Anonymous, yes you need to have the Account Management policy enabled. Make sure to edit or create a group policy on your domain controller and Enable:
Computer Configuration/Policies/Windows Settings/Security Settings/Local Policy/Audit Policy/Audit Account Management. If you set it to No Auditing, that will be enough to log the user lockout errors. Good luck!
Hi George, One of the user’s a/c is keep getting locked and i checked in the event log but, still i cannot find out the computer name in the log. Any other work around to fix this issue. Thanks for your help in advance.
Anonymous, I’m not clear whether you do not see any Event lockout errors or whether the computer name is BLANK. If you are not receiving any event logs, you need to make sure you have the Audit Account Management policy enabled. You can set this policy in the following location. Computer Configuration/Policies/Windows Settings/Security Settings/Local Policy/Audit Policy/Audit Account Management. If you set it to No Auditing, that will be enough to log the user lockout errors. Here is a link to a great FREE utility that may also help you http://www.netwrix.com/account_lockout_examiner.html. If the computer name is blank, it can be many… Read more »
Good Day.
Thank you for the post.
My problem is that the username is a Domain Admin account and i have more than one computer that the account is locked out of.
How do I know what to search for on the workstation?
Rudi, the lockouts can be caused by several things. Please check for cached credentials in Control Panel, Users. Also check any mapped drives with the Domain Admin credentials. Also, one thing that I’ve seen happen is that you log on to a computer and it remembers the last last account that logged in. Then when the user goes to log into the computer, he or she doesn’t notice that the user account name is NOT their own and attempts to enter their own password with the domain admin account in the user field. This would lock out the domain admin… Read more »