How to Find Where My Account Locked Out

1. To find the Machine that is locking the account out
  1. Use the Account Lockout Status (LockoutStatus.exe) tool to find the Domain Controller where it locked out
    https://www.microsoft.com/en-us/download/details.aspx?id=15201
  2. Logon to that DC and filter the Security Event Log for 4740
  3. In the details of the 4740 event

Additional Information:
Caller Computer Name:

active-directory-account-lockout-event-ID-4740

2. To find the application or process locking out the account
  1. Enable the following audit local policy settings on the Caller Computer Name (The source computer or workstation identified above)

Compute Configurations -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy:

Audit process tracking: Success , Failure

Audit logon events: Success , Failure

account-lockout-audit-policies

  1. On the Caller Computer Name filter the Security Event Log for 4625

Caller Process Name is the process that is locking it out

account-lock-Event-ID-4625

 

Ref Links:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740

http://woshub.com/troubleshooting-identify-source-of-active-directory-account-lockouts/

Why Aren’t My Windows Audit Policies Working?

https://windowsexplored.com/2014/01/31/why-arent-my-windows-audit-policies-working/

 

 

 

 

Categories: Uncategorized

Leave a Reply

%d bloggers like this: