Active Directory

How to Check Account Lockout Source

Account-Lockouts

Account lockout policy locked the user account after certain number of failed password attempts.Account lockout keeps account secure by preventing anyone from guessing the user name and password as well to compensate for weak password policies.

Domain controller tracks user failed logon attempts and if threshold is exceed, disable the user account for certain time to avoid any potential risk.

Account lockouts are a common problem experienced by Active Directory users.When an account is locked out, the user can not make any login attempts until the lockout time end.

What Happens During a Lockout?

When an incorrect password is entered for an account, the Domain Controller to which it was authenticated forwards the request to the DC with the “PDC Emulator” role. Because the PDC Emulator always has the most recent password for the account, it will re-check the provided password against its own database.

If the password is still incorrect, the PDC Emulator increases the account’s badPwdCount attribute and a failed login is recorded in a Security Event Log. If the badPwdCount exceeds the Account Lockout Threshold, the DC will lock the account, record Event ID 4740 (more on that later), and inform the other Domain Controllers that the account is locked.

There are two options to unlock the account, One is wait for account lockout duration, if its configured as 30 minutes then account will unlock automatically after 30 minutes and second is, Unlock the user account manually.

Now you have idea about account lockout and how we can unlock the account.

How can administrator check to see if domain account is locked out.We can check it by opening the ADUC console as well account lockout message appears when user try to login to system or application.

In above screenshot, you can see aarti.kumari account is locked out and she can not get authenticate from active directory until account not unlocked. Before unlock the account, we have to find out lockout source for Aarti account. There are two option to check the account lockout source. One is account lockout tool and second is by metadata log of locked account. Today we will show account lockout source by account lockout tool.

Account lockout tool is freeware tool of Microsoft and yon can download it from Microsoft website.

Please open the Account lockout tool.

Go to File and click on target option.

Put the locked user’s details and its domain name. WindowsTechno is target domain for Aarti.kumari account.Click on OK.

Now account lockout tool shows user state, last bad password,lockout time and Orig lock.Many enginner understand that orig lockout DC is source for account but its not. Orig lock is domain controller where account lockout event is triggered, Not source of lockout.

Please login to domain controller as shown DC08 and open the event viewer.

Click on security logs.

Filter the current log and find out 4740 event id. 4740 event id is for account lockout.

Once you filter 4740 event id,it show the lockout source as per below screenshot.

Now you can see the account lockout source is hostmachine for aarti.kumari account. Kindly remove old stored password from this system to avoid the account lockout.

So this is how we can find out the account lockout source. Many companies are used change auditor or other tools to track AD changes and lockout issue.

So, that’s all in this blog. I will meet you soon with some other stuff. Have a nice day !!!

Recommended contents

How to manage Kerberos protocol changes related to CVE-2022-37967

What is SOX Compliance and What Are the Requirements?

Common Types of Cyber Attacks and How to Prevent Them

What Is Active Directory and How Does It Work?

RODC Installation Guide- Step by step guide to install read only domain controller

RODC Filtered Attribute Set

Installing and configuring a RODC in Windows Server-2012

How to find the GUID of Domain Controller

Understanding Group Policy Preferences

Group Policy Verification Tool GPOTool Exe

Group Policy Health Check on Specific Domain Controller

What is Netlogon Folder in Active Directory

Create Custom Attributes in Active Directory

Check the Tombstone Lifetime of My Active Directory Forest

Determine a Computers AD Site From the Command Line

Check the Active Directory Database Integrity

Check the Active Directory Database Integrity

Disabling and Enabling the Outbound Replication

DFS Replication Service Stopped Replication

What is Strict Replication Consistency

The replication operation failed because of a schema mismatch between the servers involved

Troubleshooting ad replication error 8418 the replication operation failed because of a schema mismatch between the servers

How to export replication information in txt file

Repadmin Replsummary

Enabling the outbound replication

Guys please don’t forget to like and share the post.Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them .

You can also share the feedback on below windows techno email id.

If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno

Leave a Reply

Back to top button