none
Locked AD Account RRS feed

  • Question

  • I have recently serie of lockouts from 1 user.

    Lockouts happen 2-3 times a day, source is always 1 user workstation. User is already sensitive to enter password without mistakes. Account lockout sometime with user sitting by computer so it is not case of funny jokes from her roommates.

    I checked credentials manager - it is empty, no mapped drives with creds , no sheduled tasks, there aren't any services running whith her account connected.

    Finally i find strange event on her computer SecurityLog stating that her credentials were read from credentials manager  few seconds before event 4740 on domain controller.

    Any clues where can I look farther to explain that lockouts?

    PS. OS was recently upgraded to Windows 10 1909  but problem was present in 1903 version as well



    • Edited by Piosk Tuesday, December 3, 2019 2:33 PM
    Tuesday, December 3, 2019 2:31 PM

All replies

  • I shall suggest you to try Account Lockout Status (LockoutStatus.exe)

    Account Lockout Status (LockoutStatus.exe) is a combination command-line and graphical tool that displays lockout information about a particular user account.

    Also go through the following link:

    https://theitbros.com/ad-account-keeps-locking-out/


    S.Sengupta,Microsoft MVP Windows and Devices for IT, Windows Insider MVP

    Wednesday, December 4, 2019 12:57 AM
  • Hi,

    Was your problem resolved?

    Just for your reference , we can use the event log for troubleshooting:

    First of all,look for event 4740 on the domain controller is , and the computer source can be found through this event (each domain controller needs to confirm whether there is this event ); if not,  need to enable the account management audit policy for the domain controller. , In [Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy \ Audit account management]

     

    Then, find the 4625 event on the client computer source and check the process of the locked account. If there is no 4625 event on the computer source, you need to enable the following audit events:

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, December 30, 2019 4:52 AM
  • Hi,

    Was your issue resolved?

    Welcome to share your current situation.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, January 1, 2020 2:06 AM
  • Hi,

    Welcome to share here if you have any updates !

    Please let us know if you would like further assistance.

     

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 3, 2020 3:29 AM