Windows domain account getting locked out - Can't find the real source

Question

I have a big problem that I need some help, please.

I have a Windows domain with AD and it has 10 DC in different networks. I have one specific user that after he changed it's password he is getting locked out (password expiration due date).

Looking at the logs I found 2 machines he was "disconnected" in the RDP and I logged him out from there. Logs were saying explicitly the machine name so it was easy and the domain controller for that region let's call DC4. I just logged him out and not more logs saying about those 2 machines.

But he is still getting locked out in the DC5 and the logs say just the computer name of the domain controller and of course he is not logged in there.

We have many integrations with others applications, using LDAP protocol to authenticate users, etc... we basically use the AD users/groups for everything.

I tried using wireshark to see some logs but wasn't lucky, maybe I just used a bad filter search, but for some integrations I have LDAPS...

We reverted his password back to the one before all of this started and he is fine of course, but we need to figure this out.

So, is there another way to check the real source of blocking an account? In the Windows Logs I was looking for event ID 4740 and 4771. For the DC4 it has only the 4740 what just says the DC4 itself. I asked him to check for any script or something he has using his account but he said nothing he remembers.

Any recommendation you guys have? I've tried different tools, like Account Lockout Status

A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: DC4$
Account Domain: DOMAIN
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: DOMAIN\user_here
Account Name: user_here
Additional Information:
Caller Computer Name: DC4

Thank you!

Answer 1

Hi,
Since the event log showed that the DC4 is the source DC, i would suggest you enable the following audit policy to get more details :

Then, find the 4625 event on the client computer source and check the process of the locked account.
Also , would you please what's the ip address displayed in the event 4771:

Best Regards,

Answer 2

Hi FanFan,

I appreciate your help here and you saved my life with that 4625 event ID! So, let me explain.

I'm getting 4740 and 4771 (which I was using to troubleshoot) but for this specific user I didn't see any 4771 anymore after I found 2 other boxes locking him out and I logged him off, so no more 4771, but he was still getting locked out and only showing 4740 (the log I shared above).

So, with your post and help I ended up finding the real source with the ID 4625 (took note already to use this together with others 2 event IDs hahaha) and that's what I found:

---

An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: DC4$
Account Domain: DOMAIN
Logon ID: 0x3E7
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: user_here
Account Domain: DOMAIN
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A
Process Information:
Caller Process ID: 0x2f0
Caller Process Name: C:\Windows\System32\lsass.exe
Network Information:
Workstation Name: DC4
Source Network Address: IP-Source-Locking
Source Port: 36430
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

---

So we finally found the server root cause and we were able to take action.

Thank you so much!