Multiple account lockouts

Question

Hello,

This morning we started to receive reports of user accounts getting locked out. Out of the 230 user accounts we have, 10 have reported problems getting locked out so far, but I'm afraid that number will grow very soon. I used the Lockout status tool to monitor a few of these accounts and they are registering 1 bad password attempt every 2 minutes. After 5 attempts, the account gets locked out. I had one particular user shut down his laptop and mobile device to see if the bad password attempts continue to register and it did. He states he doesn't use his personal devices/machines at home to log into anything that uses his network credentials. I'm kind of at a loss on how the bad password attempts continue to occur if his work laptop and personal mobile device are turned off.

We rebooted all 3 of our domain controllers and the following event id is coming up for the users who have reported this problem:
Audit Failure
Event ID 4771
source: microsoft windows security auditing
Task category: Kerberos Authentication service

Answer 1

Hi,

Regarding the issue of the domain accounts being locked， here are some common troubleshooting advice:

First, looking for event 4740 on the domain controller is, and the computer source can be found through this event (each domain controller needs to confirm whether there is this event); if not, need to enable the account management audit policy for the domain controller. , In [Computer Configuration \ Windows Settings \ Security Settings \ Local Policies \ Audit Policy \ Audit account management]

Then, find the 4625 events on the client computer source and check the process of the locked account. If there is no 4625 events on the computer source, you need to enable the following audit events:

Tracking for this client, then analyze the event log to find out which process or apps send the BAD password.

If there are any progress, welcome to share here!

Best Regards,