User locked out event ID 4740 caller machine name blank

Question

We have a user that is being locked out of her account every few minutes. We have looked at the machines and cleared all the password caches as well as checked 365 and even rebooted all suspect machines she may have signed in on but still we unlock the account and within a few minutes she is locked out again. I looked at the event viewer event ID 4740 to try to narrow down the computer causing the lock out but the caller Machine is not being displayed. On any of these events for any users. Anyone seen this before and know why and how to resolve?

Answer 1

Hi Jeremy Robertson1,

Thank you for posting in the Microsoft Community Forums.

After the account is locked, determine on which domain control the account is locked:

a. Please note that the account will only be locked out on one domain controller, and then this lockout action will be replicated to other domain controllers as an emergency.

b. On any domain machine, download and install lockoutstatus.exe: Download Account Lockout Status (LockoutStatus.exe) from Official Microsoft Download Center

c. You can refer to the document: "How to use the LockoutStatus.exe Tool" in http://technet.microsoft.com/en-us/library/cc738772(WS.10). aspx

d. Double click on the tool, click File -> select target, enter the username and domain information, and click OK. (Here the username is the locked AD account.) You can see all the DCs in the domain where users are being sent incorrect passwords to authenticate.

If you find the wrong password verification on both PDC and normal DC, it means the wrong password verification may be done on normal domain control and then sent to PDC for confirmation.

Here is another reference about ID4740 A user account was locked out:

4740(S) A user account was locked out. - Windows 10 | Microsoft Learn

You can check whether you can see event ID 4771 (Kerberos Authentication) or event ID 4776 (NTLM authentication) before the event ID 4740 generated on Domain Controllers? If so, you can check if there is caller computer name via event ID 4771 or event ID 4776. 

Best regards

Neuvi Jiang

============================================

If the answer is helpful, click "Accept Answer" and vote for it.

Answer 2

I am quite familiar with how to trace a lockout, I have the lockout tool already and have even went as far as to install manage engine AD Audit plus but the problem is the caller machine name is blank and there are no event id 4625. This means I have been unable to determine where the user is being locked out so I can try to resolve the issue.

Answer 3

Having similar issues with several users but unable to find source. Were you able to figure out how to locate that?

Answer 4

In my experience, it usually originates from a non-domain device attempting to authenticate. I see it most when a user has their personal device attempting to connect to internal Wi-Fi but they have changed their password. The device retries repeatedly to reconnect using their old password resulting in a lockout.

Answer 5

I assume the basics has been done but I'll post them anyways.

Clearing credential manager on the end user corp laptop device can be good start.

Removing Outlook or any related stuff that's connected with her account on the phone.

If that's already checked:

Then maybe looking up the azure sign in logs for login attempts.

I think it's probably coming from a device which is outside of the domain.