An account security policy in most businesses requires mandatory Active Directory user account lockout if the password has been entered incorrectly n times. Usually an account is locked for several minutes (5-30), when a user can’t log in the system. In some time defined by the security policies, the account is unlocked automatically.
Active Directory Account Lockout Policies
The account lockout policy is usually set in the Default Domain Policy for the whole domain. The necessary policies can be found in Computer Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy. These are the following policies:
- Account lockout threshold is the number of attempts to enter the correct password till the account is locked out
- Account lockout duration is the period of time during which the account is locked out (when this period is over, account lockout will be removed automatically)
- Reset account lockout counter after is the time to reset the counter of the failed login attempts
A temporary account lockout allows to reduce the risk of guessing passwords (by brute force) of AD user accounts.
The situations when a user forgets his/her password and causes the account lockout occur quite often. But in some cases the account lockout happens on no obvious reason. Then the user swears that he/she has not made any mistakes while entering the password, but his/her account has become locked somehow. The administrator can unlock the account manually by the user request, but in some time it happens again and again.
In this article we’ll demonstrate how to find which computer and program caused the Active Directory account lockout.
How to Find a Computer from Which an Account Was Locked Out
First of all, an administrator has to find out from which computer / server occur failed password attempts and goes further account lockout. The event of the domain account lockout can be found in the Security log on a domain controller. Filter the event with the ID 4740 in the security log.
So, we have found an event that indicates that some account (the account name is specified in the string Account Name) is locked (A user account was locked out). Name of the computer from which a lockout has been carried out is shown in the field Caller Computer Name. In this case the computer name is TS01.
How to Find Out a Program That Causes the Account Lockout
So, we have found from which computer / device the account was locked out. Now it would be great to know what program or process are the source of the lockout.
Often users complain of their account lockout after the planned change of their domain account password. This prompts that the older/incorrect password is saved in some program, script or service which regularly tries to authorize in the domain using the previous password. Let’s consider the most relevant cases when a user could have saved his/her older/incorrect password:
- Mapping a network drive via net use (Map Drive)
- In the tasks of Windows Task Scheduler
- In Windows services run from the domain account
- Data saved in the Credential Manager in the Control Panel
- Mobile devices (e. g., those used to access the corporate mail service)
To perform a detailed lockout audit on a selected machine, a number of local Windows audit policies should be enabled. To do it, open a group policy editor gpedit.msc on a local computer, on which a lockout source should be detected, and enable the following policies in Compute Configurations -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:
- Audit process tracking: Success , Failure
- Audit logon events: Success , Failure
Wait till an account is locked out again and find the events with the Event ID 4625 in the Security log. In our sample, this event looks like this:
As you can see from the description, the source of the account lockout is mssdmn.exe (a process which is a component of Sharepoint). Now you only have to inform the user that he/she has to update his/her password on the Sharepoint web portal.
After the analysis is over and the reason is detected and eliminated, don’t forget to disable the activated group audit policies.