Can domain controller be the source device for the account locked out?

Kunal Kant Sahu 0 Reputation points
2024-02-29T09:46:44.2866667+00:00

Can domain controller be the source device for the account locked out?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,460 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Thameur-BOURBITA 32,831 Reputation points
    2024-02-29T10:57:09.3966667+00:00

    Hi @Kunal Kant Sahu

    Yes it can. You should find the source on the event viewer on domain controller where the user has been locked.

    4771 event id - kerberos auth failed

    In some cases , when the source is not windows machine (proxy , network equipement , appliance ..ect) it's possible to see also the IP of domain controller or nothing in the event viewer.

    User's image


    Please don't forget to accept helpful answer

    0 comments No comments

  2. Yanhong Liu 8,220 Reputation points Microsoft Vendor
    2024-03-04T08:44:42.4433333+00:00

    Hello Kunal Kant Sahu,

    Thank you for posting in Q&A forum.

    Yes, a domain controller can be the source device for an account lockout. This typically occurs when there are multiple failed authentication attempts on the domain controller itself, either due to incorrect password entry or multiple failed logon attempts. When this happens, the domain controller logs the relevant account lockout details under Event ID 4740 under the "Security" log under the Event Viewer.

    If you are unable to see event ID 4740 on the domain controller. You need to enable the audit policy on the DC. “Enable Audit Account Lockout”, “Audit Login”, “Audit Logout Policy”, under “Computer Configuration” – “Policies” – “Windows Settings” – “Security Settings” – “Advanced Audit Policies” – “Login/Logout”. Also enable "Audit Account Management" in the "Account Management" section: Success. I hope the information above is helpful. If you have any question or concern, please feel free to let us know. Best Regards, Yanhong Liu


    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.