How to determine the reason for an account lockout in Active Directory?
Hello! Could you please advise how to determine the exact reason for an account lockout in Active Directory? We have a policy set up to lock accounts after 5 failed password attempts, but the user claims they didn’t enter incorrect passwords. Nevertheless, their account was locked. I’ve already unlocked it, but I’d like to understand the reason for the lockout. I checked event 4625 in the Security log, but there are indeed no entries there. What other event logs or locations should I check to determine the cause of the account lockout in AD? Thank you in advance for your help.
When an account in Active Directory is locked out, the main reason is almost always related to failed authentication attempts that exceed the threshold set by the lockout policy. To determine the exact cause of the lockout, you need to check the security logs on domain controllers, especially Event ID 4740, which is logged specifically on domain controllers (unlike Event ID 4625, which is only visible on client computers).
- Main methods for determining the cause of lockouts
- Step-by-step instructions for finding the source of lockouts
- Common causes of account lockouts
- Additional tools and diagnostic methods
- Preventing repeated lockouts
Main methods for determining the cause of lockouts
The main method for determining the cause of a lockout is analyzing the security logs on domain controllers, where Event ID 4740 is logged. This event contains important information about which account was locked out and from which computer the lockout occurred.
Unlike Event ID 4625, which you checked on the client computer and which is not always visible during a lockout, Event ID 4740 is always logged on the domain controller acting as the PDC Emulator. This is where the main information about the account lockout is located.
Important: Event ID 4740 contains a ‘TargetUserName’ field with the name of the locked user and a ‘ClientName’ field with the name of the computer that initiated the lockout.
Step-by-step instructions for finding the source of lockouts
Step 1: Determine the domain controller with the PDC Emulator role
- Open PowerShell as an administrator
- Run the command:
Get-ADDomain | Select-Object PDCEmulator
This command will show you which domain controller is acting as the PDC Emulator - that’s where you need to look for lockout events.
Step 2: Search for Event ID 4740 in the security log
- Connect to the domain controller with the PDC Emulator role
- Open “Event Viewer”
- Go to “Windows Logs” → “Security”
- In the event filter, specify Event ID 4740
- Analyze the found events:
| Event Parameter | Value | Description | |------------------|----------|----------| | Event ID | 4740 | Account locked out | | TargetUserName | Username | Locked account | | ClientName | Computer name | Computer that initiated the lockout | | LogonType | Logon type | 2-Interactive, 3-Network, 4-Batch, etc. | | Workstation Name | Workstation name | Computer from which the logon was attempted | | Caller Process Name | Initiating process | User process or service |
Step 3: Analyze the logon type (LogonType)
The logon type specified in event 4740 helps determine the cause of the lockout:
- LogonType 2 (Interactive) - logon attempts from an interactive session
- LogonType 3 (Network) - network authentication (shared folders, printers)
- LogonType 4 (Batch) - batch processing (scheduler tasks)
- LogonType 8 (NetworkCleartext) - authentication in clear text
- LogonType 9 (NewCredentials) - using new credentials
Common causes of account lockouts
1. Saved outdated credentials
The most common cause - applications or devices that store old user credentials. This can be:
- Outlook or other email clients
- RDP connections with saved passwords
- Shared network folders with automatic connection
- Mobile devices with cached passwords
- Browsers with saved passwords
2. Scheduled tasks and services
Windows Task Scheduler often uses accounts to automatically execute tasks:
- Check scheduled tasks on user computers:
Get-ScheduledTask -TaskPath "\" | Where-Object {$_.Settings.StartWhenAvailable -eq $true}
- Pay attention to tasks that run under the user account
3. Network connections and printers
Old network connections or printers may try to use invalid credentials:
- Disconnected network drives
- Removed network printers
- Virtual applications that save passwords
4. Malware or attacks
If the lockout occurs from many different computers, it may be a sign of:
- Brute-force attacks on the account
- Malware using credentials
- Compromised account by attackers
Additional tools and diagnostic methods
Enabling advanced Netlogon logging
For more detailed diagnostics, you can enable Netlogon debugging on the PDC Emulator:
- Open the registry on the PDC Emulator
- Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters - Create a DWORD parameter named
EnablePdcDebugLoggingwith a value of1 - Restart the Netlogon service
- After a few hours, check the System log for detailed messages
Using PowerShell for analysis
The following PowerShell command will help find recent lockout events:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4740} |
Select-Object TimeCreated, @{Name="User";Expression={$_.Properties[0].Value}},
@{Name="Computer";Expression={$_.Properties[1].Value}} |
Sort-Object TimeCreated -Descending | Format-Table
Netstat command to find active connections
If the lockout is coming from a specific computer, check active network connections:
netstat -anb | findstr "445 139 389"
This command will show processes using network protocols related to authentication.
Analyzing domain policies
Check domain lockout policy parameters:
Get-ADObject -Identity (Get-ADDomain).DistinguishedName -Properties * |
Select-Object Name, LockoutThreshold, LockoutDuration, LockoutObservationWindow
Preventing repeated lockouts
1. Regular account auditing
Conduct regular audits of:
- Saved passwords in applications
- Scheduled tasks
- Network connections
- Devices connected to the domain
2. Using modern authentication methods
Switch to more secure methods:
- Multi-factor authentication (MFA)
- Certificates instead of passwords
- Smart Card authentication
3. Monitoring and alerts
Set up monitoring for:
- Event ID 4740 for immediate notifications
- Multiple failed authentication attempts
- Unusual lockout activity
4. User training
Conduct user training on:
- Proper password management
- Secure credential storage
- Reporting suspicious activity
Conclusion
Determining the cause of an account lockout in Active Directory requires a systematic approach and analysis of various information sources. Key points to remember:
- Event ID 4740 on the domain controller with the PDC Emulator role is the primary source of information about lockouts
- Logon type helps understand the nature of the lockout - interactive, network, or batch
- Most common causes - outdated saved passwords, scheduled tasks, and network connections
- Advanced diagnostics using Netlogon debugging and PowerShell helps in complex cases
- Preventive measures - regular auditing and user training help avoid repeated lockouts
By following these steps, you can not only determine the current cause of a lockout but also develop a strategy to prevent similar situations in the future.
Sources
- Account Lockout Event ID: Find the Source of Account Lockouts
- How to Troubleshoot Account Lockouts in Active Directory (Step-by-Step Guide)
- Find Account Lockout Source and Cause in Active Directory
- Identify Source of Active Directory Account Lockouts: Troubleshooting
- Account Lockout Event ID 4740 – View Locked Account Details
- Active Directory: Account Lockouts - Find Source/Cause (Bonus: Account Modifications)
- Diagnosing Account Lockout in Active Directory | Lumifi Cybersecurity
- How can I find the source of a repeated Active Directory Locked out user?? - Microsoft Q&A
- How to trace and diagnose account lockout in AD
- Account Lockout Event ID: How to Find Account Lockouts - Windows Active Directory