To effectively troubleshoot an Active Directory (AD) account lockout, you must isolate the source device generating the bad password attempts and then remediate the stale credentials cached on that machine.
The step-by-step process below outlines how to find the root cause and prevent the lockout from recurring. 1. Enable Auditing (Prerequisite)
If you are not already logging bad passwords, you cannot trace the source.
Open the Group Policy Management Console (GPMC) via gpmc.msc. Edit your Domain Controllers GPO. Navigate to Advanced Audit Policy Configuration →right arrow Audit Policies →right arrow Account Management.
Enable Success and Failure auditing for Audit User Account Management. 2. Identify the Source Device
The Primary Domain Controller (PDC) Emulator handles all domain account lockouts. Log directly into the PDC Emulator to view the authoritative log. Open Event Viewer (eventvwr.msc) and go to Windows Logs →right arrow Security. Filter the log for Event ID 4740 (Account Lockout).
Open the event and check the Caller Computer Name field. This is the machine causing the lockouts. 3. Trace the Caller Process
If the source machine is a shared server (like a Terminal Server or RADIUS server), you need to find the specific app or process firing the bad passwords. [Guide] Understanding and Troubleshooting AD Acct Lockouts
Leave a Reply