We help IT Professionals succeed at work.

Active Directory - Account keeps getting locked.

MilesLogan used Ask the Experts™
Hello .. need some help if you guys can ..

Anyone have a script or tool to find out what resource is locking a domain user account ?

User changed their password , but the old password was hard coded to run scripts or services on some servers. How would you find
out what is locking the account ?
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dav GrayIT Manager

Have you got a group policy for password control?
Generally if this is set up in say 3 attempts, the user account becomes locked.

It may be one of your scripts has tried the old password to invoke the above policy (if enabled)
Dale HarrisProfessional Services Engineer

You can run a query on your security logs on AD to show you what computer is trying to use it.  This would most likely give you a very good hint if it was a server holding a single role.

You could do something simple in powershell to get some raw data parsed out easily:

$Logs = get-eventlog "Security" | ?{$_.[column you choose].contains("Administrator")}

Something like that.  I'm not able to get into my domain controller because I'm not at work, but you can work with the code a little bit to create something for your own environment pretty easily.  Remember to run this on your domain controller.


Dale Harris
Top Expert 2013

Take a look at this blog from about account lockouts, goes over some good Microsoft tools


sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.  Is this a normal user or could this account be used on a service somewhere?


Try Account Lockout and Management Tool.

Microsoft provides a free set of tools called Account Lockout and Management Tools which you can download as the self-extracting file ALTools.exe from the Microsoft Download Center.

More info about AL tool:

Sandesh DubeyTechnical Lead
Top Expert 2011

If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm
On th DC check the security log event id 644 will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.

Also make suer that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

You can also install Account Lockout and Management Tool:http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465


Hi Dale

I like this option since I dont have to install any additional software , but I cant get it to work .. can you check it on your DC if you are able to ?

$Logs = get-eventlog "Security" | ?{$_.[column you choose].contains("Administrator")}

[column you choose] what do I enter here ?
("Administrator") I enter the account ID that I want to check here ?
Professional Services Engineer
"User" is the column we are looking for:

$Logs = get-eventlog "Security" | ?{$_.user.tostring().contains("Administrator")}

Try that and see if that works.  I'll get you a working script later today.  You must use whatever account in the "quotes" that you're trying to look for.  I'm assuming the name of the account in administrator, but obviously that could change.

Dale Harris
Dale HarrisProfessional Services Engineer


Try this blog to get you going.  I'm not sure exactly how far you want to take this, so this will definitely help you out.  It's the Microsoft Scripting Guy and he's a wealth of information.


Excerpt from website:

get-eventlog System | where-object {$_.EventID -eq "6005"}

This is pretty much the same way I'm telling you to do it.  They expand my ? with "where-object".  Also they are filtering by EventID which you can do as well.  That just refers to the actual property value.

One of the ways you can get all the types of properties/methods for the event log try this:

$Log = get-eventlog Security
$Log | gm

Then look under properties and you'll be able to see the different ways you can ask for information.


Dale Harris


Thank you !