How to Detect the Source of Account Lockout in Active Directory

The referenced account is currently locked out and may not be logged on to.

The referenced account is currently locked out and may not be logged on to.

In this article, I will talk about the source and causes of account lockouts in the domain environment where we use Active Directory and how to determine which account is locked from which device. In Active Directory, you can find the source of user account lockouts by using tools such as Windows Logs (Event Viewer), PowerShell and Lockoutstatus.exe All of these tools are free. Now let’s explain how to use them and what they mean. Except for these methods, some third-party tools do the job. Generally, these software are paid according to the number of computers or accounts.

Why is the User Account Always Locked in Active Directory?

Let’s start with the most important question we should ask first. Why is it locked? Even though you unlock the user account, the user account is locked out again in a very short time. What are the possible reasons for this scenario?

The most fundamental reason is that the account is locked out because a Group Policy is set for account security as follows.

Group Policy — Account Lockout Policy

Since such a policy exists, it is normal that it is locked. Possible reasons that triggered the lockdown:

• There is a brute-force attack and continuous attempts are made over the limit in seconds. This is usually the case with public accounts or automated attacks.
• Someone is entering or trying their password incorrectly over the limit. It could be the end user; it could be the system admin may be a boss :)
• The password is saved somewhere, and the account is locked because of a password change. Strongly not recommended, but it happens a lot in accounts used as service account.

The referenced account is currently locked out and may not be logged on to

Then, since we are asking the right question, let’s move on to the research process whether the answer is innocent or not. First of all, we need to analyze the events over specific IDs from Windows Event Viewer. For this, we need to filter the logs by clicking “Create Custom View” instead of analyzing logs one by one. If the log is too much, you may need to do more detailed customization, but a basic filter like the below will work perfectly. If we type Event ID: 4740 by log: Security, then we can see the results.

Create Custom View

You can write the username or the computer name, but I want to see them all in case there are more accounts in this log.

Custom View — Event ID 4740

Now you can see the details as below. The information from which source the lockout is made is kept.

Using Event Viewer, we were able to see which account was locked from which computer.

Learning a Locked-Out Account Using PowerShell

Get-Aduser -identity username-properties * | 
select accountexpirationdate, accountexpires, 
accountlockouttime, badlogoncount, padpwdcount, 
lastbadpasswordattempt, lastlogondate, lockedout, 
passwordexpired | Format-List

Powershell — Lockedout : True

Unlock-ADAccount <username>

The PowerShell part is that simple. It will make it easier to automate things. Let’s move on to another tool.

LockoutStatus.exe

This small software developed by Microsoft allows you to unlock your account without opening any code or MMC panel like Active Directory User and Computers. Click here for the download link. After a simple installation, you can run the program and use it.

C:\Program Files (x86)\Windows Resource Kits\Tools

Select target & Credentials

Type a user for resetting lock

Some third-party tools such as Manage Engine, Lepide, etc. send emails according to the scenario you set for password attempts and lockouts.