none
Account lockout Issue

    Question

  • Hi,

    I have recently found one issue where the user account is getting locked and in the event ID 4740 the caller computer name field is empty. I have seen many articles over internet however all of them points to some other threads or ipad or cisco.

    Do you know any concrete way to find out how exactly we can trace this from where the user's account is getting locked.

    I would like some way to live monitor this.


    Regards Puneet Pandey MCITP

    Friday, March 10, 2017 8:16 PM

All replies

  • Hi

     You can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx

    Also these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Saturday, March 11, 2017 2:22 AM
    Friday, March 10, 2017 9:24 PM
  • Hi Puneet,
    Alternatively, you could use script to track the account lockouts referring to the following blog:
    Tracing the Source of Account Lockouts
    https://blogs.technet.microsoft.com/poshchap/2014/05/16/tracing-the-source-of-account-lockouts/
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 13, 2017 8:53 AM
    Moderator
  • I have tried everything.

    I have 4740 which doesn't tell the caller computer name

    I have netlogon debug enabled which doesn't show the computer from where it is getting locked.

    If anyone have faced the similar issue, please let me know


    Regards Puneet Pandey MCITP

    Thursday, May 4, 2017 7:59 PM