We help IT Professionals succeed at work.

Trace the source of AD user account lockout

CRIIT asked
Hi Experts,

I encounter dozens user’s accounts were locked after they changed their password based on our domain account policy. I found the reason is that users changed their password on their current desktop or laptop only. They have not changed their password on their account related devices, like smart phone (using webmail), instrument machine (which is login with the user account), network drives (which are mapped with the use account).
Is there any tools or scripts I can take to easily trace the source of machine and session which causes the user’s account locked?
I use Windows server 2003 AD environment.
Thanks in advance.
Watch Question

Similar to eventcomb, there is also the "account lockout status tool" which can be helpful if you have a lot of domain controllers.  It tries to guess the domain controller that first triggered the lockout, which can narrow down your search a bit.  There's still legwork to be done in many cases after you find the DC to focus on, which might even take you back to eventcomb.

Typically, after changing the password, and then being locked out, is caused by saved or cached passwords on the client machine.


Another cause is the user changes the password while logged on elsewhere...

You can create a domain policy to prevent users from saving AD passwords within "MANAGED PASSWORDS" for terminal services and domain logons. This will help prevent users from being locked out. Also, when users change passwords (especially complex passwords) they often forget the new ones. Even I am guilty (like many admins I hope) of forgetting my complex passwords, often.