Bobcares

How to find the Source of Account Lockouts in Active Directory domain

by | Jan 22, 2021

It would just take 5 steps to find the source of Account Lockouts in the Active Directory domain.

Today, in this article let’s go through those steps to find the source of Account Lockouts.

Here at Bobcares, we have seen several such Windows-related queries as part of our Server Management Services for web hosts and online service providers.

 

Why account lockouts in the Active directory

Active Directory auditing is a process where it collects the data about the AD objects and analyzes and reports on that data, in order to determine the overall health of the directory. This process is very important as it ensures the security of the IT environment.

However, one of the most common issue Active Directory auditors face is finding the source of account lockouts.

In case, if any user gets locked out due to any reason then the password modifications, may result in downtime. Also, it can often be a time-consuming process to get the AD account re-enabled.

Generally, the account gets locked out due to repeatedly entering bad passwords.

 

How to Identify the source of Account Lockouts in Active Directory

Now let’s take a look at how our Support Engineers identify locked out accounts and find the source of Active Directory account lockouts.

1. Searching for the DC (Domain Controller) having the PDC Emulator Role

Generally, the DC (Domain Controller) with the PDC emulator role will capture every account lockout event with an event ID 4740.

We run the below cmdlet to search the domain controller having the role of a PDC emulator.

<Get-AdDomain>.pdcemulator

2. Looking for the Event ID 4740

Next, we open the event log viewer of the DC. Then we go to the security logs and search for Event ID 4740.

account lockouts active directory

3. Applying Appropriate Filters in Place

In order to generate a more customized report, we can apply suitable filters. For instance, we can search for a lockout that occurred in the last hour or last 12 hours and find the recent lockout source of a particular user.

4. Finding out the Locked Out Account Event

Now we shall click on the Find button in the Actions pane. Then we enter the user whose account is locked out.

5. Open the Event Report to see the Source of the Locked Out account

Finally, now we can find the name of the user account in the “Account Name” section. Also, we can find the lockout location as well in the ‘Caller Computer Name’ field.

[Need any further assistance with Windows queries? – We are here to help you]

 

Conclusion

Today, we saw how our Support Engineers find the source of Account Lockouts in the Active Directory domain.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

var google_conversion_label = "owonCMyG5nEQ0aD71QM";

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

Never again lose customers to poor
server speed! Let us help you.