• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1081
  • Last Modified:

AD Account - Repeatedly Locked Out

I have a specific users AD account which is continuously getting locked out approx. 15-20 times a day.

Is there any way I can audit from which station or IP address the account is getting locked out from?

Thanks in advance for any help or suggestions.

1 Solution
Sekar ChinnakannuStaff EngineerCommented:
Search for Event ID 4740 and it helps you where the account got locked.Filter it in your domain controller. from there you can see the account name and server name where it get locked.
Hi, this article goes through what you need to know pretty well :).


Gaurav SinghSolution ArchitectCommented:
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

A malicious user may be attempting to logon to the machine by "brute forcr"ing the password.

The SAM event indicates that the enough attempts were made on the administrator account to cross the Account lockout threshold. As the administrator cannot be locked out, this event is logged instead. A machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.

For more information about troubleshooting account lockout issue, you can use Account Lockout and management Tools to help rule out the root cause of this issue.

USe Account Lockout and Management Tools link is already provided by systechadmin

Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0

Event ID 12294 — Account Lockout

Abhijit Waikar.
i bet the user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.

Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).
Hi go through the below link and download the EventCombMT tool


then go to Serches-----> Built in searches ---> Account lockouts

then add the user id which is going frequently lock out in the text ..  then search.

you will get the details which systems get the lockout.

their may be virus on the one system which is locout the account.

SandeshdubeySenior Server EngineerCommented:
Here are two toolsets that can help


Take a look at this blog from about account lockouts, goes over some good Microsoft tools


sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
SuncoreAuthor Commented:
Daetl thank you, the user changed their password but had not updated the exchange settings on their iPhone, which was locking out the account just as you suggested.

Thank you all for your help.
You're welcome, this kind of issue has been more and more frequent those last years with smartphones invading the market.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now