How to: Find the source of Account Lockouts in Active Directory
It is a very common problem in Active Directory when Users change their password in a domain environment, they might get locked out repeatedly and it can be a frustrating process to identify the source of the lockout.
Try the following steps to track the locked out user and also find the source of AD account lockouts. This procedure assume that you know the username which is locked out.
I recommend doing this procedure on ALL your Domain Controllers, not only your PDC Server, just to be sure you didn’t miss a lockout event.
- You need to create a filter on the security log on your DCs. We will use a very handy XML query for that. These specific events are good for a 2008 R2 Domain Controller. You can easily change the event numbers for other Windows server editions.
- To start, Right click security log and select ‘Filter current log’
- Select the XML tab and tick the ‘Edit query manually‘ radio button.
- Copy the following query to the XML window. You need to change the UserName and Domain\UserName values respectively for your specific domain and user.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">
*[System[(EventID=4771 or EventID=4770 or EventID=4625 or EventID=6274)]]
and
*[EventData[Data and (Data='UserName' or Data='Domain\UserName')]]
</Select>
</Query>
</QueryList>
- Click OK to confirm the filter.
- Now inside the events that were discovered in the security log, refer to the client address and client port to continue your investigation on the source of the lockout. in the below example you can see the source of lockout in the client address and client port lines.
Disconnect the user from the computers he is still trying to establish connections from.
You will receive all relevant events for the lockout for the specified user.