none
AD account is locked. RRS feed

  • Question

  • Hello, 

    We have a user whose AD account keeps being locked.  I checked the security log on all domain controllers and also checked out reports using a 3rd party AD management tool to identify.  I have shut all his computers and phone but his account is still being locked 3 mins after the unlock. 

    Please advise if you know what else I could try. 

    Many thanks.  
    Wednesday, December 12, 2018 9:21 PM

All replies

  • This reference may help:

    https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773155(v=ws.10)

    Edit: Assuming your domain is at DFL Windows Server 2003 or above, and the password history setting is at least 3, then authentications with the two previous passwords should not result in account lockout. Either some app or process is using an even older password, or the account is being attacked.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Wednesday, December 12, 2018 9:55 PM
  • Hi,

    I add to Richard answer, If the client is trying to access on resource use unsupported authentication protocol the user account will be locked.

    Try to enable audit on domain controller know which computer locks the user account.


    Please don't forget to mark the correct answer, to help others who have the same issue. Thameur BOURBITA MCSE | MCSA My Blog : http://bourbitathameur.blogspot.fr/

    Wednesday, December 12, 2018 10:35 PM
    • Proposed as answer by ITPro-Tips Tuesday, December 18, 2018 12:37 AM
    Wednesday, December 12, 2018 11:13 PM
  • Hi,
    First we should confirm that how many user accounts have been locked? What are the user accounts?
    If only one account is locked, if it is occasionally locked, it may be caused by the user accidentally entering the wrong password more than threshold value we defined.

    If it is often locked, we can configure the audit policy on the domain controller (PDC) to confirm which client or server(resource computer) locks the account.

    1. Apply Audit Policy to the PDC under this location:
    Default Domain Policy: Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration -> Audit Policies
    Account Management -> Configure all items as Success and Failure
    Account Logon -> Configure all items as Failure

    2. On the DC, run command “auditpol /get /category:* >C:\path\filename.txt” to make sure the audit policies have been applied.
    3. On the client , try to type wrong password 3 times, if the user account is locked. Go to domain controller(PDC),in the Security Log check whether we received the following Event (PDC->Event Viewer->Windows Logs->Security Log)
    4740      A user account was locked out.

    4. Within this Event log, we can see the resource computer (the caller computer name is the resource computer).
    5. Please on the resource computer apply the following Audit Policies(local group policy edit):
    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration -> Audit Policies
    Logon/Logoff ->Configure all items as Failure.
    Detailed Tracking -> Configure all items as Success and Failure.

    6. Reproduce the issue on client, or once the account is locked on client again, then unlock the account manually, and logon the computer again, combining the time stamp of Event 4740, we can see the detailed process was launched on the client’s Security Log while Event 4740 was reported.

    Reference:
    4740(S): A user account was locked out.
    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4740

    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, December 13, 2018 2:21 AM
    Moderator
  • Hi,
    If this question has any update? Also, for the question, is there any other assistance we could provide?
    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 17, 2018 1:20 AM
    Moderator
  • Hi,
    Greetings!
     
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.
     
    Again thanks for your time and have a nice day!

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, December 18, 2018 11:34 PM
    Moderator