Frequent lockout issue of AD account xyz

Mohd Arif 946 Reputation points
2024-11-26T10:45:38.1433333+00:00

I have an account XYZ in our AD. This is getting frequent locked. The lockout source is our AD server DC01 but the user has just domain users permission and hence cannot login to our AD server. We have configured NPS server on AD server for Wi-Fi authentication. We have Quest change auditor in place to track the lockout events. Quest tracks well Windows machine but if lockout comes from mobile phone it does not track. So for user xyz, I see lockout source is DC01 in Quest change auditor tool. I suspect some mobile device is causing the lockout and hence NPS (DC01) is showing in source.

  1. XYZ is locking by DC01 as per Quest change auditor tool
  2. We disabled the Wi-Fi access for XYZ after that account was ok
  3. Again enabled Wi-Fi access for XYZ and account started getting lock
  4. Our Quest server is not catching the device name , every time lockout source is our AD server. In such case the suspicious device is a mobile phone.
  5. I had logged case with MS but they also did not find anything. Now case is closed by MS.
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,831 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,726 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,279 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 13,665 Reputation points Microsoft Vendor
    2024-11-27T07:40:23.07+00:00

    Hello

    Thank you for posting in Q&A forum.

    An account is usually locked out because the account has changed their password but their device has not changed and is still sending login requests, so the first thing we need to do is find the device and clear the cached credentials. Make sure the user clears any cached credentials on their mobile device and reauthenticates with the updated password.

    You can also go to DC01>>> open event view >>> security logs >>> find 4771 or 4776 log which relate with this user and check the source using this way to find the source machine.

    Best regards

    Yanhong

    =====================================

    If the answer is helpful, please click "Accept answer" and upvote it

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.