We help IT Professionals succeed at work.

Why frequent account locked out - Event ID 4740

We have frequent account locks out that seem to be origination at user's workstations:

A user account was locked out.

Subject: Security ID: S-1-5-18

Account Name: DomainController$

Account Domain: NT_DOMAIN

Logon ID: 0x3e7

Account That Was Locked Out: Security ID: S-1-5-21-2030126595-979527223-1756834886-1337

Account Name: JohnS

Additional Information: Caller Computer Name: JohnS-PC

It affects only certain workstations on the domain, and we cannot pinpoint what is actually causing this behavior. We started noticing it last week - on the day we have added New routable UPN Suffix to all domain users. We have no idea if this is the cause or just a coincidence - we've seen this happening before, but it was usually caused by phones or persistent network connections. Any ideas how to tracked down a problem?
Comment
Watch Question

Mohammed KhawajaManager - Infrastructure:  Information Technology

Commented:
You sure it is not due to a mapped drive. Or something similar. Try this tool from Sourceforge:
http://sourceforge.net/projects/adlockouts/

Author

Commented:
100% sure not a mapped drive or existing network connection. In couple of cases we had cleaned stored credentials on the affected workstation and it fixed problems. We have also notice d lots of kerberos pre-authentication failed errors (event 5771) and account was logged off (event 4634). We enabled "Do not require kerberos pre-authentication" on 2 accounts and it fixed a problem - not a single lockout.
Mohammed KhawajaManager - Infrastructure:  Information Technology

Commented:
Stored credentials always becomes an issue after password changes as well as activesync devices which will require passwords to be changed.

Author

Commented:
100% right, but in this case we've cleared all stored credentials and activesync is not an issue in this case (we do not host our exchange and just preparing to implement federation).
Commented:
Long story short - we've found it was Outlook locking the accounts (we added UPN suffix to prepare to implement AD federation service).