<div>
Search for Event ID 4740 and it helps you where the account got locked.Filter it in your domain controller. from there you can see the account name and server name where it get locked.
</div>


<div>
Hi, this article goes through what you need to know pretty well :).<br />
<br />
<a href="http://www.windowsecurity.com/articles/windows-active-directory-auditing.html" rel="ugc">http://www.windowsecurity.com/articles/windows-active-directory-auditing.html</a><br />
<br />
Cheers<br />
Reuben
</div>


<div>
Use lockut tool. Refer &nbsp;<a href="http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465" rel="ugc">http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465</a>
</div>


<div>
A malicious user may be attempting to logon to the machine by &quot;brute forcr&quot;ing the password.<br />
<br />
The SAM event indicates that the enough attempts were made on the administrator account to cross the Account lockout threshold. As the administrator cannot be locked out, this event is logged instead. A machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.<br />
<br />
For more information about troubleshooting account lockout issue, you can use Account Lockout and management Tools to help rule out the root cause of this issue.<br />
<br />
USe Account Lockout and Management Tools link is already provided by systechadmin<br />
<br />
Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0<br />
<a href="http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585" rel="ugc">http://support.microsoft.com/default.aspx?scid=kb;EN-US;315585</a>&nbsp;<br />
<br />
Event ID 12294 — Account Lockout<br />
<a href="http://technet.microsoft.com/en-us/library/cc733228(WS.10).aspx" rel="ugc">http://technet.microsoft.com/en-us/library/cc733228(WS.10).aspx</a><br />
<br />
Regards,<br />
Abhijit Waikar.
</div>


<div>
Hi go through the below link and download the EventCombMT tool<br />
<br />
<a href="http://support.microsoft.com/kb/824209" rel="ugc">http://support.microsoft.com/kb/824209</a>&nbsp;<br />
<br />
<br />
then go to Serches-----&gt; Built in searches ---&gt; Account lockouts<br />
<br />
then add the user id which is going frequently lock out in the text .. &nbsp;then search.<br />
<br />
you will get the details which systems get the lockout.<br />
<br />
their may be virus on the one system which is locout the account.<br />
<br />
<br />

</div>


<div>
Here are two toolsets that can help<br />
<br />
<a href="http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465" rel="ugc">http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465</a><br />
and<br />
<a href="http://www.netwrix.com/account_lockout_examiner.html" rel="ugc">http://www.netwrix.com/account_lockout_examiner.html</a>&nbsp;<br />
<br />
Take a look at this blog from about account lockouts, goes over some good Microsoft tools<br />
<br />
<a href="http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx" rel="ugc">http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx</a><br />
<br />
sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
</div>


<div>
Daetl thank you, the user changed their password but had not updated the exchange settings on their iPhone, which was locking out the account just as you suggested.<br />
<br />
Thank you all for your help.
</div>


<div>
You're welcome, this kind of issue has been more and more frequent those last years with smartphones invading the market.
</div>


<div>
<div class="content wysiwyg-content">
I have a specific users AD account which is continuously getting locked out approx. 15-20 times a day.<br />
<br />
Is there any way I can audit from which station or IP address the account is getting locked out from?<br />
<br />
Thanks in advance for any help or suggestions.<br />
<br />
:)
</div>
</div>


I have a specific users AD account which is continuously getting locked out approx. 15-20 times a day.

Is there any way I can audit from which station or IP address the account is getting locked out from?

Thanks in advance for any help or suggestions.

:)

AD Account - Repeatedly Locked Out

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Digital forensics encompasses the recovery and investigation of material found in digital devices, often in relation to computer crime. Digital forensics investigations have a variety of applications. The most common is to support or refute a hypothesis before criminal or civil (as part of the electronic discovery process) courts. The technical aspect of an investigation is divided into several sub-branches, relating to the type of digital devices involved; computer forensics, network forensics, forensic data analysis and mobile device forensics. The typical forensic process encompasses the seizure, forensic imaging (acquisition) and analysis of digital media and the production of a report into collected evidence.

Digital Forensics

Security is the protection of information systems from theft or damage to the hardware, the software, and the information on them, as well as from disruption or misdirection of the services they provide. The main goal of security is protecting assets, and an asset is anything of value and worthy of protection.  Information Security is a discipline of protecting information assets from threats through safeguards to achieve the objectives of confidentiality, integrity, and availability or CIA for short. On the other hand, disclosure, alteration, and disruption (DAD) compromise the security objectives.