How to determine exactly what is locking out an Administrators account.

When accessing our servers it states "my" account is locked out.  I ran Netwrix Account lockout examiner and it shows me locked out.    How do I find out exactly "why" or "what" is locking me out?

I have other accounts I can log on as to run the tests
J.R. SitmanIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
Troll through the security event logs on your DCs, and you will see the story.  Event 4740 will be when the lockout happenens, and will contain some more information.

This can be caused by:
1. A machine left with a user logged on after a password change.
2. Hackers attacking a external port.  FTP servers, RDP servers, and SMTP servers are common ones; hackers try to attack by using "Administrator" as a username, and various common passwords. RDP is really back for this in my experience.
3. An actual heap of attempts to incorectly type in a password.
J.R. SitmanIT DirectorAuthor Commented:
There are no 4740 events.   There are also no repeated attempts to log in as Administrator.  As of this post, my account is not locked.

So I have no idea what caused it.
Peter HutchisonSenior Network Systems SpecialistCommented:
Other causes of lockouts:
1. Check Services.msc of any servers and check if any service is using Administrator as a Logon account.
2. Check Task Scheduler of any servers, and check if any tasks are running under the Administrator user.

Ideally you should create application specific accounts to run services or tasks.
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Naveen SharmaCommented:
Check this blog which explains possible reasons of lockouts

You can also try Microsoft's  LockoutStatus.exe tool or LepideAuditor to investigate the reason of lockouts. Here is how LepideAuditor troubleshoots account lockouts.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
J.R. SitmanIT DirectorAuthor Commented:
@ Peter Hutchison, I will go through the services and task scheduler today.  I just wanted to say creating accounts for applications is an excellent idea.
J.R. SitmanIT DirectorAuthor Commented:
Thanks.  I will go through these.
Naveen SharmaCommented:
Here is an another article to troubleshoot Account Lockout in Active Directory:

Get help from this article to detect source of Account Lockouts in Active Directory:
J.R. SitmanIT DirectorAuthor Commented:
I used Microsoft Account Lockout.  My account is being locked from MSTSC.  It started at 11:03 pm Wednesday and the last one was Thursday 6:25 am.  
It also happened to the Administrator account and my assistant.

It is currently unlocked, but will most likely lock again.  

I checked and do not see any of these accounts logged in remotely.  

We have two Citrix servers, but they reboot every night so that would disconnect anyone.  

Where would I look for an MSTSC computer inside the domain?
J.R. SitmanIT DirectorAuthor Commented:
Here is the exact message

4740,AUDIT SUCCESS,Microsoft-Windows-Security-Auditing,Thu Apr 19 10:58:06 2018,No User,A user account was locked out.    Subject:   Security ID:  S-1-5-18   Account Name:  SPCALA292$   Account Domain:  LASPCA   Logon ID:  0x3e7    Account That Was Locked Out:   Security ID:  S-1-5-21-2125141960-1604992391-1749447093-2367   Account Name:  jsitman    Additional Information:   Caller Computer Name: MSTSC
Naveen SharmaCommented:
Did you enable auditing?

You can audit logins, for detailed description refer to this article:

Do you have any mobile devices that are connecting to your network using your network credentials?

Viruses can also do this from your own computer.

Check any services that you may have set up under your login that may contain a password.  

This could be on ANY workstation or server that you have used. This article will explain Common Causes for Account Lockouts – Resolution and Troubleshooting Steps

Troubleshooting account lockout the PSS way:

How to Trace the Source of a Bad Password and Account Lockout in AD:

For further, you can also enable more advanced auditing, by enabling "Network Security: Restrict NTLM: Audit Incoming NTLM Traffic"  -  Enable Auditing for all accounts & enabling "Network Security: Restrict NTLM: Audit Incoming NTLM in this domain."   - Enable all for DC in the problematic user's site etc.
J.R. SitmanIT DirectorAuthor Commented:
Even though it looked like an internal problem it was coming from the outside trying to access my account.  The Microsoft tool was helpful.

Thanks to all.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.