Account Lockout Due to failed attempts

create share 666 Reputation points
2020-08-03T12:37:19.957+00:00

Hi,

My Domain Account was suddenly locked out. How can I find out from which pc someone tried to log in to my account before it got locked out?

Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,671 questions
0 comments No comments
{count} votes

Accepted answer
  1. Fan Fan 15,351 Reputation points Microsoft Vendor
    2020-08-04T00:01:32.903+00:00

    Hi,
    Welcome to post on the Q&A platform.
    Usually, for troubleshooting account lockout issue, we should follow the general troubleshooting steps below. For your reference :
    1. Enable audit policies for each DC then gather audit event from PDC. Check the vent 4740.
    To configure the audit policy under
    [Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management] 
    2. According to the audit events on PDC determine which clients or DCs sent the failed authentication request. If the failed authentication request was sent by a DC, then we should gather the audit event on the DC. So we can find out which clients sent the BAD password.
    3.  After we get the workstations IP, then we need enable Audit Logon Events – Failure and Audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD password.
    15345-8041.jpg
    Note: we need increase security log size before we enable audit. It will overwrite previous log when the security log size is so small.

    Account lockout troubleshot link:https://social.technet.microsoft.com/wiki/contents/articles/23497.active-directory-troubleshooting-frequent-account-lockout.aspx
    Fan

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.