How to find authentication failures leading to account lockout Win2019

Paul H 1 Reputation point
2023-02-24T14:49:00.5633333+00:00

Windows Server 2019, single domain
We have a user that mysteriously locks out several times a day. I can watch the account status with the LockOutStatus tool from the ALTools provided by Microsoft however I cannot find the source of the authentication failures. When I look in the logs for event 4625 there are 10 events there for a different user, never more than those 10 events. This is across two domain controllers, even when the LockOut tool shows failed login attempts for the problem user.

There are sites that suggest turning on failure auditing in the GPO for the domain controllers however the GPO is set to "Success,Failure" so technically speaking what we need there is enabled.

What else can I try to find out where these failures are originating from? I am about to download a trial version of ADAudit Plus to see if that tool can help find the problem.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,440 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,813 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Thameur-BOURBITA 32,496 Reputation points
    2023-02-26T22:00:37.61+00:00

    Hi @Paul H

    You have to enable audit on all your domain controller to be able to identity the source of lockout from event view in PDC and the DC where the use is locked. This the unique method to identity the source of lockout account.

    Others third party tools(like Change Auditor) are based on events generated on domain controller after enable the logon audit.

    Please don't forget to mark helpful answer as accepted

    0 comments No comments