How to Track Source of Account Lockouts in Active Directory

Download Lepide Active Directory Auditor
Or Deploy With Our Virtual Appliance
In This Article

Active Directory auditing is an important part of ensuring compliance and the security of the IT environment. However, a common problem that Active Directory auditors face is how to identify the source of frequent account lockouts. If user accounts are getting locked out frequently for any reason, it may result in downtime and can often be a time consuming and frustrating process to get the AD account re-enabled.

Possible Causes if AD Account is Getting Locked Out Frequently:

  • Mapped drives using old credentials
  • Systems using old cached credentials
  • Applications using old credentials
  • Windows Services using expired credentials
  • Scheduled Tasks

Read more about common account lockout causes in detail.

Follow the below steps to track locked out accounts and find the source of Active Directory account lockouts. If you already know the lockout account in question, you can start directly from step 5 (to track source).

Step 1 – Search for the DC having the PDC Emulator Role

The DC (Domain Controller) with the PDC emulator role will capture every account lockout event ID 4740. In case you have only one DC then you can skip this step.

Get-AdDomain – Running this cmdlet will search for the domain controller having the role of a PDC emulator.

Step 2 – Look for the Account Lockout Event ID 4740

Open the event log viewer of the DC. Go to the security logs, and search for the Event ID 4740.

Step 3 – Put Appropriate Filters

There are suitable filters to generate a more customized report. For example, you can search for a lockout which occurred in the last hour, and find the recent lockout source of a particular user.

Step 4 – Find Out the Locked Account Whose Information is Require

Click on the “Find” button in the actions pane to look for the User whose account has been locked out.

Step 5 – Open the Event Report, to Find the Account Lockout Source

Here you can find the name of the user account in the “Account Name”, and the source of the lockout location as well in the ‘Caller Computer Name’ field.

How Lepide Active Directory Auditor Troubleshoots Account Lockouts

Lepide Active Directory Auditor (part of Lepide Data Security Platform) generates Account Lockout Report where complete information about the event is displayed in a single row. When you right-click on any event, the context menu will give you the following options; “Unlock”, “Reset Password” and “Investigate”.

Lepide Account Lockout Report

Unlock Account

Click on this option to unlock the chosen user account. Once done, it shows the following message.

Reset Password

If you want to reset the users’ password, click on the “Reset Password” option. Enter the new password and then confirm it. Select “User must change password at the next logon” option to force the user to change the password on the next logon.


In order to investigate how the user account was locked out click on the “Investigate” option in the context menu. After clicking on the “Investigate” button, “Lockout Investigator” window opens up. In this window, you can click on “Generate Report” button to generate the report to view the reason behind account lockout.


Download Lepide Active Directory Auditor

Or Deploy With Our Virtual Appliance