This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello all...I'm writing to see if someone can shed some light on a tricky account locked user issue I'm having.
The user in question's AD account will get locked out randomly and repeatedly throughout the day. Her phone credentials are fine - no services etc running on her workstation.
I've enabled logging using this article as a guide
https://4sysops.com/archives/find-the-source-of-account-lockouts-in-ad/
What is strange is with all the locked out events for this user (4740) found on the PDC- there is not a single 4625 (failed logon) event for her user (on the DCs). How then would the account become locked - unless I have not enabled logging as I should. I've checked for failed logons on our DCs and her workstation.
There was a single failed logon event found on the security log of her workstation - that's it - compared to the many account lock outs through out the day. Wouldn't all the failed logon attempts be recorded on the DCs?? I don't know what I'm missing. The lockout events (4740) do not show the "CallerComputer" name - that is blank.
I'm quite perplexed - ! Any help is appreciated !
Thanks ...Dennis
FYI- DCs are 2016 server - main workstation is question is Win 11...and we use AD\NPS to auth our on-prem wireless devices as well as for Single Sign on w ADFS and Secure LDAP.
have you tried a tool like this one:
Account Lockout and Management Tools
https://www.microsoft.com/en-us/download/details.aspx?id=18465
Hi @Dennis Topo Jr •
A event should be generated on the domain controller where the user try logon with bad password.
For your information , the user account can be also locked if he try using unsupported authentication protocol.
Please don't forget to mark helpful answer as accepted
Thameur- thanks-- yes...true-- that's crux of the issue- I'm not seeing failed auth events (4625) for the user- just the lock out events, which do not show me the source. It's odd - I would expect to see the failed auth events leading up to the lockout.