How can I find the source of a repeated Active Directory Locked out user??

Dennis Topo Jr 0 Reputation points

Hello all...I'm writing to see if someone can shed some light on a tricky account locked user issue I'm having.

The user in question's AD account will get locked out randomly and repeatedly throughout the day. Her phone credentials are fine - no services etc running on her workstation. 

I've enabled logging using this article as a guide

What is strange is with all the locked out events for this user (4740) found on the PDC- there is not a single 4625 (failed logon) event for her user (on the DCs). How then would the account become locked - unless I have not enabled logging as I should. I've checked for failed logons on our DCs and her workstation. 

There was a single failed logon event found on the security log of her workstation - that's it - compared to the many account lock outs through out the day. Wouldn't all the failed logon attempts be recorded on the DCs?? I don't know what I'm missing. The lockout events (4740) do not show the "CallerComputer" name - that is blank.

I'm quite perplexed - ! Any help is appreciated ! 

Thanks ...Dennis

FYI- DCs are 2016 server - main workstation is question is Win 11...and we use AD\NPS to auth our on-prem wireless devices as well as for Single Sign on w ADFS and Secure LDAP.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
4,305 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Ivica Milanovic 1 Reputation point

    have you tried a tool like this one:

    Account Lockout and Management Tools

    0 comments No comments

  2. Thameur-BOURBITA 16,586 Reputation points

    Hi @Dennis Topo Jr

    A event should be generated on the domain controller where the user try logon with bad password.

    For your information , the user account can be also locked if he try using unsupported authentication protocol.

    Please don't forget to mark helpful answer as accepted