Security Log not showing every event log

Question

My organization has a Windows server 2012r2. Last few days we have observed that some accounts are getting locked for unknown due reasons. After 5 minutes it's unlocked again according to domain policy. My concern is as follows:

1. When I look into Event Log/Windows log/Security and look for Event ID-4740. It's generating a 3/4 event log where my locked user count is above 10. I have looked at the Advance audit policy parameter. but did not find any relevant policy settings for it.
2. Every time I refresh the security log it shows a number of counts that increase/decrease in real-time. Besides in every refresh also event id 4740 also goes disappear. Is it happing due to any policy? is this behavior known to anyone? your expertise and opinion really needed. Thank you!

Answer 1

Hello there,

We can run the LockoutStatus.exe on domain controller to identify and investigate the account lockout issue

The common causes for account lockouts are:

Programs with cached credentials or active threads that retain old credentials

Service accounts passwords cached by the service control manager

User is logged in on multiple computers or disconnected remote terminal server sessions

Scheduled tasks

Active Directory delayed replication

The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue.

https://social.technet.microsoft.com/Forums/en-US/6c45363d-fbdf-49c2-a29a-9f1b7263aaab/question-domain-account-is-getting-locked-and-source-unknown?forum=winservergen

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer--