Sometimes generic or service accounts lock out due to password expiration or change. You must troubleshoot and solve the problem to confirm that this is the case and not a hacker wandering around in your network trying to brute force your privileged passwords. First, ensure that you have configured your domain group policy to capture the logon security events. Your audit policy should look like this.
The common causes for account lockouts are:
- Programs with cached credentials or active threads that retain old credentials
- Service accounts passwords cached by the service control manager
- User logged in multiple computers or disconnected remote terminal server sessions
- Scheduled tasks
- Persistent drive mappings
- Active Directory delayed replication
We will use powershell cmdlets to troubleshoot the account lockouts. The most useful cmdlet is the Get-EventLog
.
Run Get-EventLog -List
to display the various event groups.
To filter out the security events, run the following cmdlet
GetEventLog –LogName "security"
Now, open up a powershell on a domain controller (or execute a privileged shell on your computer) and execute the following commands:
$domainControllers = "dc1", "dc2", "dc3"
Get-EventLog -LogName "security" –ComputerName $domainControllers | where {$_.eventID -eq 4740} | fl -Property timegenerated, replacementstrings, message
where $domainControllers parameter should contain of course your domain controllers. This commands will look for eventIDs 4740 (the account lockout id) in your domain controllers and the results will be displayed in the following format:
Check the “Caller Computer Name” property to figure out the workstation/server that triggers the account lockout. Get into it and look for one of the aforementioned causes that produces the problem.
Thanks for the Powershell script. But the script lists all the events with ID 4740. Can you provide a script for a particular AD account. (say domain\user1)
Hi! This is my first visit to your blog! We are a group of volunteers and starting a new initiative in a community in the same niche.
Your blog provided us useful information to work on. You have done a wonderful job!