Account Lockout Troubleshooting Quick Reference Guide

{{ firstError }}
We care about security of your data. Privacy Policy

Troubleshooting Persistent AD User Account Lockouts

Microsoft Active Directory is a core component of your infrastructure, controlling everything from security settings to Group Policy to user authentication. Each user’s Active Directory account controls their access to network drives and other resources, as well as their Windows settings and computer configurations.

To thwart attacks, most organizations set up an account lockout policy for user accounts: As soon as the bad password count for particular user is exceeded, their Active Directory account gets locked. If your audit policy is enabled, you can find these events in the security log by searching for event ID 4740.

The security event log contains the following information:

  • Subject — Security ID, Account Name, Account Domain and Logon ID of the account that performed the lockout operation
  • Account that Was Locked Out — Security ID and account name of the locked-out account
  • Additional Information — Caller Computer Name, which is the name of the system from which the failed logon attempts were generated

To enable an account lockout policy, you need to change the default GPO settings.

To restore an employee’s access to the resources they need after their user account was locked, an AD administrator has to unlock it with Active Directory Users and Computers on a domain controller (DC) using either a PowerShell script or account lockout and management tools for incident recovery.

Sometimes an AD account keeps locking out after each unlock. In this case, there is usually a bigger problem than a user trying to log in with the wrong password, such as:

  • Misconfiguration of applications or services on workstations
  • Server setup issues
  • Malicious actions by either external or internal parties, such as a dictionary attack

Persistent account lockout incidents require prompt investigation. Often, you have to track down the IP address or device name of the source of the lockout. Some common issues can be resolved by checking credential manager, unlocking the account via PowerShell or simply updating your PDC emulator.

This guide describes helpful tools for finding a locked account, determining the reason behind the lockout, and unlocking the account. It also lists the most common root causes of account lockouts and how to check each of them.