This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(51.2, 90%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Hello all, thanks for reading and attempting to help,
I have been having an ongoing issue for the past month or so with having my account get locked multiple times throughout the day due to error listed in the title. Every time it happens I go check event viewer for my DC but it isn't very helpful, it doesn't even list a workstation where the failed credentials is coming from. I've read similar posts and have tried removing all cached credentials (on all devices), making sure I have no scheduled/startup tasks using my account, etc. I also haven't mapped any new drives or anything. Nothing has worked.
I'm thinking some service or something is using outdated password but I cannot for the life of me figure this out. Any suggestions or ideas would be greatly appreciated. Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 62%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDZ%3C/text%3E%3C/svg%3E)
Hello Andrew Saliba,
Thank you for posting in Q&A forum.
Do you have more than one Domain Controller in this domain? If so, maybe the account was locked on multiple DCs, we can check the security log (event ID 4776 and event ID 4740) about this account on non-PDC.
Please check the "Account Lockout threshold" value, and if "Account Lockout threshold" value is 5, you will see 5 entries event IDs of 4776 and then you will see the event ID of 4740, 4740 means the account is locked out.
Please check if you can see "caller computer name" through event 4776 or event ID 4740.
The first thing we should check is: which machine the account is locked on, then we can check which app/program is using the wrong credential of this account, at last, we can delete/remove the wrong credential on specific app/program.
I hope the information above is helpful.
If you have any questions or concerns, please feel free to let us know.
Best Regards,
Daisy Zhou
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Yes, there are multiple DCs on the domain. The originator of the lockout is almost always our Primary DC. It will usually lock me out of all DC's (8 in total) except the two DC's that are in my state for some reason.
I remote into that primary DC to check the security logs and get the aforementioned errors. It doesn't give me a workstation in the details nor does it give me a program. I do see C:\Windows\System32\svchost.exe as caller process name but nothing for Caller Computer Name. I know that means it's a service, but how do I see which services are using credentials to authenticate?
Found out the issue. Deleted my NPS certificate for dot1x Wi-Fi certificate on my server and that fixed it.