It would just take 5 steps to find the source of Account Lockouts in the Active Directory domain.
Today, in this article let’s go through those steps to find the source of Account Lockouts.
Here at Bobcares, we have seen several such Windows-related queries as part of our Server Management Services for web hosts and online service providers.
Why account lockouts in the Active directory
Active Directory auditing is a process where it collects the data about the AD objects and analyzes and reports on that data, in order to determine the overall health of the directory. This process is very important as it ensures the security of the IT environment.
However, one of the most common issue Active Directory auditors face is finding the source of account lockouts.
In case, if any user gets locked out due to any reason then the password modifications, may result in downtime. Also, it can often be a time-consuming process to get the AD account re-enabled.
Generally, the account gets locked out due to repeatedly entering bad passwords.
How to Identify the source of Account Lockouts in Active Directory
Now let’s take a look at how our Support Engineers identify locked out accounts and find the source of Active Directory account lockouts.
1. Searching for the DC (Domain Controller) having the PDC Emulator Role
Generally, the DC (Domain Controller) with the PDC emulator role will capture every account lockout event with an event ID 4740.
We run the below cmdlet to search the domain controller having the role of a PDC emulator.
2. Looking for the Event ID 4740
Next, we open the event log viewer of the DC. Then we go to the security logs and search for Event ID 4740.
3. Applying Appropriate Filters in Place
In order to generate a more customized report, we can apply suitable filters. For instance, we can search for a lockout that occurred in the last hour or last 12 hours and find the recent lockout source of a particular user.
4. Finding out the Locked Out Account Event
Now we shall click on the Find button in the Actions pane. Then we enter the user whose account is locked out.
5. Open the Event Report to see the Source of the Locked Out account
Finally, now we can find the name of the user account in the “Account Name” section. Also, we can find the lockout location as well in the ‘Caller Computer Name’ field.
[Need any further assistance with Windows queries? – We are here to help you]
Today, we saw how our Support Engineers find the source of Account Lockouts in the Active Directory domain.