Troubleshooting Account Lockouts in Active Directory

Sometimes generic or service accounts lock out due to password expiration or change. You must troubleshoot and solve the problem to confirm that this is the case and not a hacker wandering around in your network trying to brute force your privileged passwords. First, ensure that you have configured your domain group policy to capture the logon security events. Your audit policy should look like this.

Audit Policy

The common causes for account lockouts are:

• Programs with cached credentials or active threads that retain old credentials
• Service accounts passwords cached by the service control manager
• User logged in multiple computers or disconnected remote terminal server sessions
• Scheduled tasks
• Persistent drive mappings
• Active Directory delayed replication

We will use powershell cmdlets to troubleshoot the account lockouts. The most useful cmdlet is the Get-EventLog.

Run Get-EventLog -List to display the various event groups.

EventLog Groups

To filter out the security events, run the following cmdlet

GetEventLog –LogName "security"

Now, open up a powershell on a domain controller (or execute a privileged shell on your computer) and execute the following commands:

$domainControllers = "dc1", "dc2", "dc3"
Get-EventLog  -LogName "security" –ComputerName $domainControllers | where {$_.eventID -eq 4740} | fl -Property timegenerated, replacementstrings, message

where $domainControllers parameter should contain of course your domain controllers. This commands will look for eventIDs 4740 (the account lockout id) in your domain controllers and the results will be displayed in the following format:

Account Lockout Events

Check the “Caller Computer Name” property to figure out the workstation/server that triggers the account lockout. Get into it and look for one of the aforementioned causes that produces the problem.