Account lockouts are a common problem experienced by Active Directory (AD) users. They arise because of Account Lockout Policies configured in the default domain policy for the Active Directory domain.
The automatic locking out of accounts after several unsuccessful logon attempts is a standard security practice as failed logon attempts can be a sign of a potential data breach. Because of this, before unlocking an account, it is crucial to determine why incorrect passwords were repeatedly provided to cause the account lockout. Doing this will help to keep your system secure and avoid the risk of unauthorized access to your sensitive data.
It is essential to continuously monitor those accounts which get unlocked and by whom so that you can identify any that were unlocked without appropriate approval and respond quickly to protect your systems and data.
In this guide, we will look first at the native way to identify who has unlocked an account and then look at a more straightforward approach using the Lepide Auditor.
Native Method
The native method to unlock an account is as follows:
- Run gpmc.msc and create a new GPO
Edit the GPO as follows:
- Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management
- From here, select Audit User Account Management, and set to Success and Failures
- Go to the Event Log, and do the following:
- Set the maximum security log size to 4GB
- Set the retention method for security log to Overwrite events as needed
Link the new GPO:
- Go to Group Policy Management, right-click domain or OU, choose Link an Existing GPO, choose the GPO that you created
- Force the group policy update as follows:
In Group Policy Management, right click on the defined OU, click Group Policy Update - Open Event Viewer, search the security log for Event ID 4767 (This is the event id for a user account was unlocked).
The Subject field, which will contain the name and security ID of the user who unlocked the account.
How Lepide can Help
A more straightforward solution to using the native method is to use the Lepide Auditor for Active Directory.
Lepide’s Active Directory Auditing tool provides a straightforward way to list all accounts which have been unlocked and who has unlocked them by running the User Status Changes Report. This report is one of hundreds of pre-defined reports included within the Lepide solution and an example is given below:
This report includes information showing the account User Name, Who made the change, When it was changed and the Status of the change.
To run this report:
- From Lepide Auditor, expand Active Directory and select the User Status Changes Report
- Specify a date range if required
- Generate the Report