Why is my account locked out frequently???
Active Directory user account lockout issues happen from time to time for various reasons. But the cause is the same, multiple unsuccessful logins to the user account. Users don’t know what happens that causes their accounts to be locked out. This should be tracked correctly as it can indicate a user credential theft. So what is going on?
Today’s journey focuses on this problem and the fix. I saw a lot of blogs and software that analyze the user machine and try to find the cause. This includes searching the stored password, map drive …etc.
But what if all did not help? what to do ?!
Table of Contents
Finding Active Directory Account Lock Source
There is multiple software (Some are free and others paid) that can tell from which computer or device caused this account to get locked.
As a starting point, the simplest way, and it’s free, is to search in Domain Controller Security Eventlog for the following.
Event ID: 4740
Event source: Microsoft Windows security auditing
In this security log, what you will see is this
Or you can you this quick PowerShell script.
#or use this Powershell script to search
Get-WinEvent -FilterHashtable @{Logname="Security";id=4740}
Notice that the Caller Computer Name is the computer or device that causes the account to be locked. In this case, it’s MyPC1.
Possible Stored Password location which causes Users Active Directory Lockout
- Map Drive
- Scheduled Task
- Windows Service
- Saved credential in user Credential Manager in Control panel
- Password for Mail account that is stored on user Mobile device
- and several other locations.
Using Some Software
To save some time, there is a good tool (Free Trail)
Account Lockout Examiner, or ManageEngine AuditPlus for querying the computer name causing the account lock and perform some basic check on the target machine to analyze what may cause the lockout “Schedule task, MAP Drive, Windows Services…”.
Advance Way To Find Users Active Directory Account Lock
Sometimes the cause is something else. It’s not Windows Service or Scheduled task or any of the built-in fixes. So what should you do?
In this case, and on the user’s machine that causes the lock, you need to monitor Failed Audit for:
– Audit process tracking. ( not required, but it will give you more information)
– Audit logon events.
Run remote machine (User’s Machine) Gpedit.msc and navigate to:
Windows Settings \ Security Settings \ Local Policies \ Audit Policy
Double click on Audit logon events and put select Success, Failure. Run gpupdate /force.
Set back and relax, and wait for the next lockout. Once it happens, review the client machine audit log and check the failed Log you will see something like this
As shown in the picture above, the process using the old password is the Sharepoint Search component (mssdmn.exe). so simply update the password to a new password from the SharePoint site.
This is the best way to get put your finger on what causes a user’s active directory account lockout issue. I hope you like this
I hope you enjoy reading this post. How about taking a look at how to manage Windows Defender via Windows PowerShell.