Why did Active Directory account get disabled?

Posted on 2016-09-06
Medium Priority
Last Modified: 2016-10-25

A high-profile user was unable to access network resources this morning.  Sounds like he was already logged on to the network for some time.  But he stopped being able to access network resources.  At this point he rebooted his PC.   After reboot, attempts to logon returned the following message:

The referenced account is currently locked out and may not be logged on to

Issue was quickly addressed by re-enabling this account.  However this is not a user who is likely to mistype his credentials multiple times.  I'm concerned about a potential attempt to login with his account.  Where can I check in Event Viewer or other tool to gather any information that may be of help to gather some detail?

Thanks in advance.

Question by:realtimer

Assisted Solution

AnthonyHamon earned 664 total points
ID: 41787013
If you do not have any Active Directory auditing software then check the Security logs [in Event Viewer] on all of your domain controllers, filtering for logon failures.  If, however, your auditing policy is set not to record logon failures you will have nothing to go on.

Accepted Solution

Senior IT System Engineer earned 672 total points
ID: 41787073
Hi realtimer,

You can cehck for the Security event ID 4740 in the domain controllers and also the reason of the failure codes as per my attached .PDF file.

I was into this problem before and it turns out to be the old iPhone or the iTunes software still using the old password.
LVL 19

Assisted Solution

Learnctx earned 664 total points
ID: 41787532
There are a bunch of error codes to look for.

4625: Failed logon.
4740: Lockout event.
4768 (audit failure): Kerberos TGT failure.
4769 (audit failure): Kerberos service ticket failure.
4771: Kerberos Pre-authentication failure.
4776 (audit failure): NTLM failed logon.

Common causes for this can be anything from:

* Old logon sessions.
* Cached credentials (Outlook, Lync).
* Applications which store credentials, developer tools are notorious for this.
* Mobile devices like phones, tablets, etc.

Author Comment

ID: 41804993

I've gone through some of these steps and am still working on trying to isolate the source of the problem.

In the interim, what can I do to ensure that this one account does not get disabled regardless of the number of failed login attempts?

Thank you.

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this article, we will discuss how you can secure Active Directory using free tools, and how you can choose a safe and secure Active Directory security auditing tool.
One thing I've always found frustrating is no matter how many times one asks the end users to not save things on their local machines, they do it anyway.  Forget that we don't back up the desktops - only the servers.  Well, let's sneak their data on…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question