AD Account - Repeatedly Locked Out

Posted on 2011-10-05
Last Modified: 2012-05-12
I have a specific users AD account which is continuously getting locked out approx. 15-20 times a day.

Is there any way I can audit from which station or IP address the account is getting locked out from?

Thanks in advance for any help or suggestions.

Question by:Suncore
    LVL 24

    Expert Comment

    by:Sekar Chinnakannu
    Search for Event ID 4740 and it helps you where the account got locked.Filter it in your domain controller. from there you can see the account name and server name where it get locked.
    LVL 6

    Expert Comment

    Hi, this article goes through what you need to know pretty well :).

    LVL 17

    Expert Comment

    by:Gaurav Singh
    LVL 10

    Expert Comment

    A malicious user may be attempting to logon to the machine by "brute forcr"ing the password.

    The SAM event indicates that the enough attempts were made on the administrator account to cross the Account lockout threshold. As the administrator cannot be locked out, this event is logged instead. A machine is infected by virus it could not be trusted no longer. Microsoft suggests reinstalling the system.

    For more information about troubleshooting account lockout issue, you can use Account Lockout and management Tools to help rule out the root cause of this issue.

    USe Account Lockout and Management Tools link is already provided by systechadmin

    Troubleshooting account lockout problems in Windows Server 2003, in Windows 2000, and in Windows NT 4.0;EN-US;315585

    Event ID 12294 — Account Lockout

    Abhijit Waikar.
    LVL 4

    Accepted Solution

    i bet the user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.

    Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).
    LVL 2

    Expert Comment

    Hi go through the below link and download the EventCombMT tool

    then go to Serches-----> Built in searches ---> Account lockouts

    then add the user id which is going frequently lock out in the text ..  then search.

    you will get the details which systems get the lockout.

    their may be virus on the one system which is locout the account.

    LVL 24

    Expert Comment

    Here are two toolsets that can help

    Take a look at this blog from about account lockouts, goes over some good Microsoft tools

    sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
    LVL 2

    Author Closing Comment

    Daetl thank you, the user changed their password but had not updated the exchange settings on their iPhone, which was locking out the account just as you suggested.

    Thank you all for your help.
    LVL 4

    Expert Comment

    You're welcome, this kind of issue has been more and more frequent those last years with smartphones invading the market.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now