Find the Source of Account Lockouts in Active Directory

Introduction

This tutorial will guide you through the process of finding the source of account lockouts in Active Directory. Account lockouts can be a significant inconvenience for users and administrators alike. By following these steps, you can identify the causes of these lockouts using both PowerShell commands and a graphical user interface (GUI) tool.

Step 1: Enabling Auditing for Event 4740

To track account lockouts, you need to enable auditing for security events related to account logouts. This involves:

• Accessing Group Policy Management:

  • Open the Group Policy Management Console.
  • Navigate to the appropriate Group Policy Object (GPO) for your domain.

• Configuring Audit Policy:

  • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
  • Under Account Logon, enable Audit Account Lockout for both success and failure.

• Applying the Policy:

  • Ensure the policy is linked to the appropriate organizational unit (OU) and apply it.

Step 2: Find the Domain Controller with PDC Emulator Role

The Primary Domain Controller (PDC) Emulator is essential for managing account lockouts. To identify which controller holds this role:

• Open PowerShell.
• Execute the following command:

  Get-ADDomain | Select-Object PDCEmulator
  

• Note the output, which indicates the domain controller that acts as the PDC Emulator.

Step 3: Search Event Logs for Event ID 4740

You can use PowerShell to search for account lockout events in the security logs:

• Run the following command in PowerShell:

  Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740}
  

• This command retrieves all events related to account lockouts.

Step 4: Display Details of Event

To view detailed information about the account lockout events:

• Use this command:

  Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740} | Format-List
  

• This will provide a formatted list of details for each event, including the username and source of the lockout.

Step 5: Use Event Viewer (Optional)

For a more visual representation of the data, you can use the Event Viewer:

• Open Event Viewer:

  • Navigate to Windows Logs > Security.
  • Filter the logs to display only events with ID 4740.

• Analyze the Events:

  • Look for timestamps and account details to identify patterns and sources of lockout.

Step 6: Using the Unlock GUI Tool

For those who prefer a GUI approach, the User Unlock Tool simplifies the process of identifying locked accounts:

• Download the User Unlock Tool:

  • Access the tool here.

• Using the Tool:

  • Launch the application and navigate to the section for locked accounts.
  • The tool will display all locked user accounts along with the sources of the account lockouts.

Conclusion

By following these steps, you can effectively locate the source of account lockouts in Active Directory. Enabling auditing, using PowerShell for event searches, and utilizing a GUI tool are all effective strategies for troubleshooting this issue. For further assistance, consider reading the written version of this tutorial, which includes screenshots for clarity.