Microsoft Active Directory is a core component of your infrastructure, controlling everything from security settings to Group Policy to user authentication. Each user’s Active Directory account controls their access to network drives and other resources, as well as their Windows settings and computer configurations.
To thwart attacks, most organizations set up an account lockout policy for user accounts: As soon as the bad password count for particular user is exceeded, their Active Directory account gets locked. If your audit policy is enabled, you can find these events in the security log by searching for event ID 4740.
The security event log contains the following information:
To enable an account lockout policy, you need to change the default GPO settings.
To restore an employee’s access to the resources they need after their user account was locked, an AD administrator has to unlock it with Active Directory Users and Computers on a domain controller (DC) using either a PowerShell script or account lockout and management tools for incident recovery.
Sometimes an AD account keeps locking out after each unlock. In this case, there is usually a bigger problem than a user trying to log in with the wrong password, such as:
Persistent account lockout incidents require prompt investigation. Often, you have to track down the IP address or device name of the source of the lockout. Some common issues can be resolved by checking credential manager, unlocking the account via PowerShell or simply updating your PDC emulator.
This guide describes helpful tools for finding a locked account, determining the reason behind the lockout, and unlocking the account. It also lists the most common root causes of account lockouts and how to check each of them.