What is locking out my Active Directory user?

What is locking out my Active Directory user?

Every now and again, we find that a user gets constantly locked out of the network, seemingly because they’ve managed to get their password wrong so many times in a short period that the auto-lockout policy is triggered. We unlock the account, but invariably a few minutes later they’re locked again.

In the past, this has almost always been down to some mobile device they have with stored, old and now incorrect, credentials. This device is repeatedly trying to authenticate in order to access email or our wireless system, so the first port of call when troubleshooting is usually the question “Have you got a phone or a tablet you use?” and normally that’s the end of it. Well, once they turn it off or update stored passwords or whatever, anyway.

This week we had something else. The user in question has never used a mobile device to access anything we have at work, and yet their account was still being locked out every five minutes. Eventually, an old desktop PC in an office, hidden under some paperwork and untouched for a fortnight turned out to be the culprit. Outlook was merrily trying to communicate with our Exchange server using the user’s credentials from last time they used that machine, and Active Directory quite rightly decided enough was enough and locked them out.

Troubleshooting the Active Directory lockouts

How to go about finding what machine is doing this, though? Well, first port of call was the Microsoft Account Lockout Status tool. This will show you when the lockout occurred and which domain controller(s) logged the event and activated the lockout.

Active Directory lockout status

Usually the PDC emulator will record this event, but you may see other DCs also record bad password attempts.

Now you know which domain controller to check, you can open Event Viewer on that DC and check the Security log. Naturally, you’ll want to filter this as it’s likely you’ll have millions of entries to sift through. The key filters are the timeframe (if it happened today, limit it to the last 12 or 24 hours) and the Event ID you’re looking for is 4740:

Security Log Filter

Once filtered, you’ll have (hopefully) just a handful of events to look through. One or more of these will point you at the naughty machine which is the source of the invalid logon attempts.

Filtered List

Open up these events, and somewhere you’ll get information like this, revealing the (removed in this case) computer name:

Computer NameHopefully knowing the name of the computer will enable you to resolve why the lockout is happening. Check it for processes that are trying to authenticate, maybe remove all the stored credentials in Windows Credential Manager, or perhaps just a reboot will resolve it. Actually physically finding the computer? Well, you’ve an inventory, right? Otherwise it puts me in mind of this quote from bash.org:

<erno> hm. I’ve lost a machine.. literally _lost_. it responds to ping, it works completely, I just can’t figure out where in my apartment it is.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.