Account lock out in Exchange server 2016 DAG environment with AD

azhar Nasim 0 Reputation points
2023-03-20T04:50:04.07+00:00

Tracing account lock out by event viewer shows that IP source is Exchange server or domain controller. Tracking done by event 4740. Accounts are continuously being locked out how can we trouble shoot this further I used Microsoft Account lockout tool but it has very limited information about source IP

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,538 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,525 questions
Exchange Server Development
Exchange Server Development
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Development: The process of researching, productizing, and refining new or existing technologies.
544 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,630 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,101 questions
{count} votes

2 answers

Sort by: Most helpful
  1. SUNOJ KUMAR YELURU 14,216 Reputation points MVP
    2023-03-20T09:44:49.2566667+00:00

    Hello @azhar Nasim

    Thank you for using Q & A forum.

    This event ID will contain the source computer of the lockout.

    Refer to the below link solution already provided.

    Using PowerShell to Find the Source of Account Lockouts

    1. Open the Group Policy Management console. This can be from the domain controller or any computer that has the RSAT tools installed.
    2. Modify the Default Domain Controllers Policy

    If this answers your query, do click Accept Answer and Up-Vote for the same. And, if you have any further query do let us know.

    0 comments No comments

  2. Limitless Technology 44,331 Reputation points
    2023-03-20T14:17:33.6233333+00:00

    Hello there,

    I'd recommend going into your IIS logs and finding the timestamp of that event to locate the IP address. Check to make sure Pop3 / IMAP hasn't been enabled in exchange, for an old phone or such.

    A lot of the lockouts will be cached credentials in windows in credential manager. You can try to remove the local Windows credentials and see if the problem persists.

    Copy the below line

    rundll32.exe keymgr.dll,KRShowKeyMgr

    Windows Key+R > CTRL+V to paste the above-copied line and Enter

    Here you can delete the stored passwords

    Hope this resolves your Query !!

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.