none
Account locked (4740) with no preceding invalid attempts (4625) for one specific user

    Question

  • For our domain controllers (4 x 2008 R2), we have an account lockout policy:

    - Duration: 30 min
    - Threshold: 20 attempts
    - Reset: after 30 min

    We have two views in the event viewer:

    - One for Event ID 4625 (invalid attempts)
    - One for Event ID 4740 (locked)

    For one specific user, we occasionally (once every few months) see a lockout (4740), but no preceding invalid login attempts (4625). On any domain controller. For other users, this is not the case, we see preceding invalid login attempts prior to the lockout event.

    Our audit policy should be sufficient:

    Logon/Logoff
      Logon                                   Failure
      Logoff                                  No Auditing
      Account Lockout                         Success and Failure
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           Success and Failure
      Other Logon/Logoff Events               Success and Failure
      Network Policy Server                   Success and Failure

    Regards,

    Ruben

    Thursday, November 24, 2016 8:30 AM

All replies

  • Please have a look at below links might helps you to resolve this issue:

    Trace the source of a bad password and account lockout in AD

    Identify the source of Account Lockouts in Active Directory

    Reason for event 4740 (user account was locked out)

    Account Lockout and Management Tool

    Troubleshooting Account Lockouts the PSS way

    4740 - for locked out.

    You can try to use Account Lockout Tools along with some AD Auditing. Be aware that there can be a multitude of causes fot account lockouts. The most common ones are:

    - Wrong password input from user
    - User changes password, and has some cached credentials with the old password (check credentials in Control Panel and Internet Explorer)
    - Scheduled tasks and services running with an old password
    - Malware
    - Active Directory replication
    - Disconnected Terminal Server sessions
    - Service accounts
    - user's account tied to persistent mapped drive
    - user's account used as an IIS application pool identity
    - A SMARTPHONE, to get in detailed here is a article for what are the common root causes of account lockouts and how to resolve them.

    Thanks,

    Thursday, November 24, 2016 9:22 AM
  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    And you can configure advanced security audit to find the source;

    https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, November 24, 2016 10:34 AM
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 28, 2016 3:36 PM
    Moderator
  • Hi,

    I'm aware of the possible reasons an account could get locked, and of the tools available to troubleshoot the problems behind it.

    However, the question here is that I'm looking for the invalid password attempts leading to the lockout.

    Using some of the tools mentioned, I can clearly trace the lockout event, but not the actual invalid password attempt events. Without these events, I cannot diagnose the cause.

    This specific user has been locked out once every few months, and each time, there are no invalid password events.

    We also use ADFS (internal and WAP), but both would log invalid attempts to the Security log, unless I'm missing something?

    Regards,

    Ruben

    Monday, November 28, 2016 3:46 PM
  • Hi
      These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    You should investigate these reasons first of all.

    Then confgure advanced security audit; https://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, November 28, 2016 6:01 PM