How to Find Where My Account Locked Out
- By g2
- April 28, 2016
- No Comments
1. To find the Machine that is locking the account out
- Use the Account Lockout Status (LockoutStatus.exe) tool to find the Domain Controller where it locked out
https://www.microsoft.com/en-us/download/details.aspx?id=15201 - Logon to that DC and filter the Security Event Log for 4740
- In the details of the 4740 event
Additional Information:
Caller Computer Name:
2. To find the application or process locking out the account
- Enable the following audit local policy settings on the Caller Computer Name (The source computer or workstation identified above)
Compute Configurations -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:
Audit process tracking: Success , Failure
Audit logon events: Success , Failure
- On the Caller Computer Name filter the Security Event Log for 4625
Caller Process Name is the process that is locking it out
Ref Links:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740
http://woshub.com/troubleshooting-identify-source-of-active-directory-account-lockouts/
Why Aren’t My Windows Audit Policies Working?
https://windowsexplored.com/2014/01/31/why-arent-my-windows-audit-policies-working/
Leave a Reply