How to Track Source of Account Lockouts in Active Directory
Active Directory auditing is an important part of ensuring compliance and the security of the IT environment. However, a common problem that Active Directory auditors face is how to identify the source of account lockouts. If a user account gets locked out for any reason, such as password modifications, may result in downtime and it can often be a time consuming and frustrating process to get the AD account re-enabled.
Follow the below steps to track locked out accounts and find the source of Active Directory account lockouts. If you already know the lockout account in question, you can start directly from step 5 (to track source).
- Search for the DC (Domain Controller) having the PDC Emulator Role
Get-AdDomain – Running this cmdlet will search for the domain controller having the role of a PDC emulator.
- Look for the Event ID 4740
- Put Appropriate Filters in Place
- Find Out the Locked Out Account Event Whose Information is Require
- Open the Event Report, to Find the Source of the Locked Out account
Using Lepide Active Directory Auditor to Track and Resolve Account Lockout Issues
Lepide Active Directory Auditor (part of Lepide Data Security Platform) generates Account Lockout Report where complete information about the event is displayed in a single row. When you right-click on any event, the context menu will give you the following options; “Unlock”, “Reset Password” and “Investigate”.
Click on this option to unlock the chosen user account. Once done, it shows the following message.
If you want to reset the users’ password, click on the “Reset Password” option. Enter the new password and then confirm it. Select “User must change password at the next logon” option to force the user to change the password on the next logon.
In order to investigate how the user account was locked out click on the “Investigate” option in the context menu. After clicking on the “Investigate” button, “Lockout Investigator” window opens up. In this window, you can click on “Generate Report” button to generate the report to view the reason behind account lockout.