Posted on June 25, 2014 · Posted in Active Directory

Troubleshooting: Identify Source of Active Directory Account Lockouts

An account security policy in most businesses requires mandatory Active Directory user account lockout if the password has been entered incorrectly n times. Usually an account is locked for several minutes (5-30), when a user can’t log in the system. In some time defined by the security policies, the account is unlocked automatically.

Active Directory Account Lockout Policies

The account lockout policy is usually set in the Default Domain Policy for the whole domain. The necessary policies can be found in Computer Configuration -> Windows Settings -> Security Settings -> Account Policy -> Account Lockout Policy. These are the following policies:

  • Account lockout threshold is the number of attempts to enter the correct password till the account is locked out
  • Account lockout duration is the period of time during which the account is locked out (when this period is over, account lockout will be removed automatically)
  • Reset account lockout counter after is the time to reset the counter of the failed login attempts

Active Directory Account Lockout Policies

Tip. You can unlock the account manually without waiting till it is unlocked automatically using the ADUC console in the Account tab of the User Account Properties menu by checking the Unlock account. This account is currently locked out on this Active Directory Domain Controller box.

A temporary account lockout allows to reduce the risk of guessing passwords (by brute force) of AD user accounts.

The situations when a user forgets his/her password and causes the account lockout occur quite often. But in some cases the account lockout happens on no obvious reason. Then the user swears that he/she has not made any mistakes while entering the password, but his/her account has become locked somehow. The administrator can unlock the account manually by the user request, but in some time it happens again and again.

In this article we’ll demonstrate how to find which computer and program caused the Active Directory account lockout.

How to Find a Computer from Which an Account Was Locked Out

First of all, an administrator has to find out from which computer / server occur failed password attempts and goes further account lockout. The event of the domain account lockout can be found in the Security log on a domain controller. Filter the event with the ID 4740 in the security log. Active Directory Account Domain Controller Lockout Event ID 4740

So, we have found an event that indicates that some account (the account name is specified in the string Account Name) is locked (A user account was locked out). Name of the computer from which a lockout has been carried out is shown in the field Caller Computer Name. In this case the computer name is TS01.

Note. If there are several domain controllers, the lockout event has to be searched in the logs for each of them. Also you can subscribe to the events on other DCs. This task becomes easier with Microsoft Account Lockout and Management Tools (you can download it here). With this tool, you can specify several domain controllers at once to monitor the event logs looking for the number of failures to enter the correct password by a certain user. Microsoft Account Lockout and Management Tools

How to Find Out a Program That Causes the Account Lockout

So, we have found from which computer / device the account was locked out. Now it would be great to know what program or process are the source of the lockout.

Often users complain of their account lockout after the planned change of their domain account password. This prompts that the older/incorrect password is saved in some program, script or service which regularly tries to authorize in the domain using the previous password. Let’s consider the most relevant cases when a user could have saved his/her older/incorrect password:

  • Mapping a network drive via net use (Map Drive)
  • In the tasks of Windows Task Scheduler
  • In Windows services run from the domain account
  • Data saved in the Credential Manager in the Control Panel
  • Browsers
  • Mobile devices (e. g., those used to access the corporate mail service)

Tip. There are a number of third-party tools (mostly commercial) that allow an administrator to scan a remote machine and detect the source of the account lockout. We note Account Lockout Examiner by Netwrix as quite a popular solution.

To perform a detailed lockout audit on a selected machine, a number of local Windows audit policies should be enabled. To do it, open a group policy editor gpedit.msc on a local computer, on which a lockout source should be detected, and enable the following policies in Compute Configurations -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:

  • Audit process tracking: Success , Failure
  • Audit logon events: Success , Failure

Account lockout audit policies

Wait till an account is locked out again and find the events with the Event ID 4625 in the Security log. In our sample, this event looks like this:

account lock Event ID 4625

As you can see from the description, the source of the account lockout is mssdmn.exe (a process which is a component of Sharepoint). Now you only have to inform the user that he/she has to update his/her password on the Sharepoint web portal.

After the analysis is over and the reason is detected and eliminated, don’t forget to disable the activated group audit policies.

Related Articles