Why did Active Directory account get disabled?

Hello,

A high-profile user was unable to access network resources this morning.  Sounds like he was already logged on to the network for some time.  But he stopped being able to access network resources.  At this point he rebooted his PC.   After reboot, attempts to logon returned the following message:

The referenced account is currently locked out and may not be logged on to

Issue was quickly addressed by re-enabling this account.  However this is not a user who is likely to mistype his credentials multiple times.  I'm concerned about a potential attempt to login with his account.  Where can I check in Event Viewer or other tool to gather any information that may be of help to gather some detail?

Thanks in advance.

Regards,
Real-Time
realtimerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AnthonyHamonCommented:
If you do not have any Active Directory auditing software then check the Security logs [in Event Viewer] on all of your domain controllers, filtering for logon failures.  If, however, your auditing policy is set not to record logon failures you will have nothing to go on.
0
Senior IT System EngineerIT ProfessionalCommented:
Hi realtimer,

You can cehck for the Security event ID 4740 in the domain controllers and also the reason of the failure codes as per my attached .PDF file.

I was into this problem before and it turns out to be the old iPhone or the iTunes software still using the old password.
quickref.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
LearnctxEngineerCommented:
There are a bunch of error codes to look for.

4625: Failed logon.
4740: Lockout event.
4768 (audit failure): Kerberos TGT failure.
4769 (audit failure): Kerberos service ticket failure.
4771: Kerberos Pre-authentication failure.
4776 (audit failure): NTLM failed logon.

Common causes for this can be anything from:

* Old logon sessions.
* Cached credentials (Outlook, Lync).
* Applications which store credentials, developer tools are notorious for this.
* Mobile devices like phones, tablets, etc.
0
realtimerAuthor Commented:
Hello,

I've gone through some of these steps and am still working on trying to isolate the source of the problem.

In the interim, what can I do to ensure that this one account does not get disabled regardless of the number of failed login attempts?

Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.