account lockout RRS feed

  • Question

  • hi all

    some of my service account like backup,printer etc are automatically account lockout happening with following event id

    please help

    An account failed to log on.



                    Security ID:                            SYSTEM

                    Account Name:                     ADCSRV$

                    Account Domain:                 DOM

                    Logon ID:                               0x3e7


    Logon Type:                                          3


    Account For Which Logon Failed:

                    Security ID:                            NULL SID

                    Account Name:                     backup

                    Account Domain:                 DOM


    Failure Information:

                    Failure Reason:                      Account locked out.

                    Status:                                    0xc0000234

                    Sub Status:                             0x0


    Process Information:

                    Caller Process ID:  0x39c

                    Caller Process Name:            C:\Windows\System32\lsass.exe


    Network Information:

                    Workstation Name:              ADCSRV

                    Source Network Address:

                    Source Port:                           45442


    Detailed Authentication Information:

                    Logon Process:                     Advapi 

                    Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

                    Transited Services:                -

                    Package Name (NTLM only):              -

                    Key Length:                           0


    This event is generated when a logon request fails. It is generated on the computer where access was attempted.


    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.


    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).


    The Process Information fields indicate which account and process on the system requested the logon.


    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.


    The authentication information fields provide detailed information about this specific logon request.

                    - Transited services indicate which intermediate services have participated in this logon request.

                    - Package name indicates which sub-protocol was used among the NTLM protocols.

                    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested

    Tuesday, April 29, 2014 6:34 AM


All replies

  • Hi,

    The free tools from Micosoft - Account Lockout and Management tools helps you in troubleshooting locked out accounts.
    LOCKOUTSTATUS.EXE utility in this package help you find the DC (Domain Controller) name where that account is locked out.
    EVENTCOMBMT.EXE utility is a builtin search for searching for ACCOUNT LOCKED OUT events. 

    Checkout the below link for account lockout troubleshooting using native tools (Account Lockout and Management tools, PoweShell, and Repadmin)

    Also JiJi Account Lockout tool from JiJi Technologies has got nice features in analyzing the account lockout events.

    JiJi Technologies

    Tuesday, April 29, 2014 9:37 AM
  • Hello,

    You need to check the computer who holds the IP address for suspicious criteria. Account Lockout problems arise from so many reasons but mainly wrong password. Please check the below steps in order to find what is behind the problem:

    • Is there Mapped Drives with wrong password on the PC?
    • Is there any services in services.msc which starts with the account?
    • Are there old passwords stored in Credential Manager of windows?
    • Is there conficker worm in your environment?

    The mentioned notes were the most important ones which you should check. In order to find more information about lockout problems and why they happens refer to below link:


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    • Proposed as answer by bshwjt Tuesday, April 29, 2014 10:42 AM
    Tuesday, April 29, 2014 10:39 AM
  • Also you can use the Powershell Script.

    Import-Module ActiveDirectory
    Invoke-Command -ComputerName (
    Get-ADDomainController -Filter * |
    select -expand name
    Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740
    ➥ and TimeCreated[timediff(@SystemTime) <= 7200000]]
    ➥ and EventData[Data[@Name='TargetUserName']='afuller']]" |
    select TimeCreated,
    @{Label='User Name';Expression={$_.Properties[0].Value}},
    @{Label='Client Name';Expression={$_.Properties[1].Value}}
    Auditing Active Directory user-account lockouts via the PDC emulator
    Import-Module ActiveDirectory
    Invoke-Command -ComputerName (
    Get-ADDomain |
    select -expand PDCEmulator
    Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740
    ➥ and TimeCreated[timediff(@SystemTime) <= 7200000]]
    ➥ and EventData[Data[@Name='TargetUserName']='afuller']]" |
    select TimeCreated,
    @{Label='User Name';Expression={$_.Properties[0].Value}},
    @{Label='Client Name';Expression={$_.Properties[1].Value}}

    Taken the Script from Powershell Deep Dives.Jeffery Hicks Richard Siddaway Oisín Grehan Aleksandar Nikolic ́


    Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.

    MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin


    Domain Controllers inventory-Quest Powershell

    Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate

    Generate a Report for installed Hotfix for Bulk Servers

    • Proposed as answer by Mahdi Tehrani Wednesday, April 30, 2014 2:38 AM
    Tuesday, April 29, 2014 10:47 AM
  • yes this account using CA backup service account , not only this account printer service account also locking
    Tuesday, April 29, 2014 3:14 PM
  • Hi,

    As others mentioned, I think you could try to troubleshoot the account lockout, and  find the reason:



    If you have any feedback on our support, please click here

    Vivian Wang

    Wednesday, April 30, 2014 2:52 AM
  • Hi,

    Any update about the issue?


    Vivian Wang

    Tuesday, May 6, 2014 7:17 AM