It's easy to find the source computer of account lockout, but to find the application its tricky and time-consuming. Please follow the guide which helps me,
How can I find the source of a repeated Active Directory Locked out user??
Hello all...I'm writing to see if someone can shed some light on a tricky account locked user issue I'm having.
The user in question's AD account will get locked out randomly and repeatedly throughout the day. Her phone credentials are fine - no services etc running on her workstation.
I've enabled logging using this article as a guide
https://4sysops.com/archives/find-the-source-of-account-lockouts-in-ad/
What is strange is with all the locked out events for this user (4740) found on the PDC- there is not a single 4625 (failed logon) event for her user (on the DCs). How then would the account become locked - unless I have not enabled logging as I should. I've checked for failed logons on our DCs and her workstation.
There was a single failed logon event found on the security log of her workstation - that's it - compared to the many account lock outs through out the day. Wouldn't all the failed logon attempts be recorded on the DCs?? I don't know what I'm missing. The lockout events (4740) do not show the "CallerComputer" name - that is blank.
I'm quite perplexed - ! Any help is appreciated !
Thanks ...Dennis
FYI- DCs are 2016 server - main workstation is question is Win 11...and we use AD\NPS to auth our on-prem wireless devices as well as for Single Sign on w ADFS and Secure LDAP.
4 answers
Sort by: Most helpful
-
-
Ivica Milanovic 1 Reputation point
2023-05-20T20:34:11.68+00:00 have you tried a tool like this one:
Account Lockout and Management Tools
https://www.microsoft.com/en-us/download/details.aspx?id=18465
-
Thameur-BOURBITA 32,496 Reputation points
2023-05-20T22:21:28.97+00:00 Hi @Dennis Topo Jr •
A event should be generated on the domain controller where the user try logon with bad password.
For your information , the user account can be also locked if he try using unsupported authentication protocol.
Please don't forget to mark helpful answer as accepted
-
Richard Millin 1 Reputation point
2023-12-07T14:22:22.14+00:00 I have persistent account lockout problems in my domain. The Account Lockout Tool is showing one of the DCs as being the DC the lockout occurred on, however, no 4740 events are being generated for this particular user.
I'm looking at enabling account lockout auditing via GPO to see if this can generate any deeper insight - https://4sysops.com/archives/find-the-source-of-account-lockouts-in-ad/