One frustrating aspect of managing a domain is when accounts seem to lock out within minutes. 

Password policies enacted to have users change passwords frequently, as part of good security practices, can cause lockouts as users forget where they are using accounts.  Additionally, this can happen if a service account is configured with an account that changes passwords frequently. What can you do to make handling this process more reasonable? 

The first step is to make sure auditing is enabled on your domain controllers. 

In the Group policy management console Select Default Domain Controller policy and expand computer configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy 

Enable Audit account logon events and audit logon events, enable both success and failure. 

This won’t prevent account lockouts from happening, but will make research and recovery much easier. 

How do I find where the account is being locked? 

There are numerous ways of finding where the account is being locked: 

  • Manual (search security log on PDC Emulator and all Global Catalog servers) 
  • Third Party tools 
  • Microsoft’s LockoutStatustool

Microsoft’s Lockout Status tool is a free download that will scan all domain controllers; not just the Primary Domain Controller (PDC) emulator. 

It will enumerate the status of the user you entered. This will show which domain controller logged the bad password. You will need to access the Event log of all the domain controllers that show a locked event. You can search the security log for event ID: 4740. This will give you the source machine that sent the bad password. 

Tip – Look out for the lockout coming from a mobile device. Most lockouts after a password change are from a mobile device that has e-mail configured on it. You should see the name of the device in the log, but it could also just come from the exchange server. 

Account lockouts can be a troublesome problem for system admins, but knowing where to look can help narrow it down and get users fully functional again in the least amount of time. 

If you would like more information contact us at info@peters.com. We are happy to help!