This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 16%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
Hello all...I'm writing to see if someone can shed some light on a tricky account locked user issue I'm having.
The user in question's AD account will get locked out randomly and repeatedly throughout the day. Her phone credentials are fine - no services etc running on her workstation.
I've enabled logging using this article as a guide
https://4sysops.com/archives/find-the-source-of-account-lockouts-in-ad/
What is strange is with all the locked out events for this user (4740) found on the PDC- there is not a single 4625 (failed logon) event for her user (on the DCs). How then would the account become locked - unless I have not enabled logging as I should. I've checked for failed logons on our DCs and her workstation.
There was a single failed logon event found on the security log of her workstation - that's it - compared to the many account lock outs through out the day. Wouldn't all the failed logon attempts be recorded on the DCs?? I don't know what I'm missing. The lockout events (4740) do not show the "CallerComputer" name - that is blank.
I'm quite perplexed - ! Any help is appreciated !
Thanks ...Dennis
FYI- DCs are 2016 server - main workstation is question is Win 11...and we use AD\NPS to auth our on-prem wireless devices as well as for Single Sign on w ADFS and Secure LDAP.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 32%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
It's easy to find the source computer of account lockout, but to find the application its tricky and time-consuming. Please follow the guide which helps me,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 19%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIM%3C/text%3E%3C/svg%3E)
have you tried a tool like this one:
Account Lockout and Management Tools
https://www.microsoft.com/en-us/download/details.aspx?id=18465
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @Dennis Topo Jr •
A event should be generated on the domain controller where the user try logon with bad password.
For your information , the user account can be also locked if he try using unsupported authentication protocol.
Please don't forget to mark helpful answer as accepted
Thameur- thanks-- yes...true-- that's crux of the issue- I'm not seeing failed auth events (4625) for the user- just the lock out events, which do not show me the source. It's odd - I would expect to see the failed auth events leading up to the lockout.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 63%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
I have persistent account lockout problems in my domain. The Account Lockout Tool is showing one of the DCs as being the DC the lockout occurred on, however, no 4740 events are being generated for this particular user.
I'm looking at enabling account lockout auditing via GPO to see if this can generate any deeper insight - https://4sysops.com/archives/find-the-source-of-account-lockouts-in-ad/
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 47%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
This happens all the time at my company. Usually when it is just showing the DC where the lockout occurred it's been their phone locking them out due to their email. Not sure if that will help but happens a lot to me.