How to Find Account Lockout Source


We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Steps
  1. Open the Powershell ISE → Run the following script, entering the name of the locked-out user:

Import-Module ActiveDirectory
$UserName = Read-Host "Please enter username"
#Get main DC
$PDC = (Get-ADDomainController -Filter * | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
#Get user info
$UserInfo = Get-ADUser -Identity $UserName
#Search PDC for lockout events with ID 4740
$LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
#Parse and filter out lockout events
Foreach($Event in $LockedOutEvents)
  {
    If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
    {

      $Event | Select-Object -Property @(
        @{Label = 'User'; Expression = {$_.Properties[0].Value}}
        @{Label = 'DomainController'; Expression = {$_.MachineName}}
        @{Label = 'EventId'; Expression = {$_.Id}}
        @{Label = 'LockoutTimeStamp'; Expression = {$_.TimeCreated}}
        @{Label = 'Message'; Expression = {$_.Message -split "`r" | Select -First 1}}
        @{Label = 'LockoutSource'; Expression = {$_.Properties[1].Value}}
      )

    }}

  1. Review the results to find the source of the lockout.
PowerShell account lockout sources report
  1. Run Netwrix Auditor → Navigate to "Search" → Specify the following criteria:
    • Filter – "What"
      Operator – "Contains"
      Value – "<account username>"
    • Filter – "Details"
      Operator – "Contains"
      Value – "Locked out"
  2. Click "Search" and review the results.
Netwrix Auditor Interactive Search report: shows account lockout sources

Track Down an Account Lockout Source and the Reason behind It with PowerShell or Netwrix Auditor

Locking out an account after several failed authentication attempts is a common policy in a Microsoft Windows environment. Lockouts happen for a variety of reasons: a user enters the wrong password, the cached credentials used by a service are expired, Active Directory account replication errors, incorrect shared drive mappings, disconnected terminal sessions on a Windows server or mobile device accessing Exchange Server, and more.

Before you unlock the account, you need to find out why the lockout happened, so you can mitigate security risks and possibly prevent the same issue from happening again. PowerShell can be a good tool for determining why an account was locked out and the source — the script provided above lets you search for lockouts related to a single user account by examining all events with ID 4740 in the security log. The output contains the details needed for further investigation: the computer where the account lockout occurred and the time when it happened.

If you don’t want to bother with PowerShell, Netwrix Auditor provides two convenient ways to find account lockout sources. You can easily investigate a particular incident in detail using an interactive search, as illustrated above, or review all account lockouts for all users on all domain controllers in your environment in a single predefined report.