Troubleshoot AD Account Lockouts
In this guide, you will learn how to use the AD Lockout Troubleshooter to find the source of account lockouts.
Requirments
- You will need permission to read the event logs from all domain controllers
- Audit Log policy needs to be configured. See Audit Log Settings for step-by-step instructions.
- The tool will query the event logs using RPC and the dynamic port range. Port range TCP 49152-65535. This only needs to be opened from the computer running the tool to the DCs.
Step 1. Click on Lockout Troubleshooter
This tool is located in the tools section on the “User Management” page.
Step 2. Select a date range
Select the date range and click run. If you have a lot of users and multiple domain controllers you might want to limit the date range as it can pull in a lot of events.
The tool will collect the events (4771 and 4740) from all your domain controllers and display them in the results column.
Step 3. Review the Logs
For example, I can see Alonso Hall had an account lockout event (4740) and the source computer was PC1.
There will be times when an account is locked out but event 4740 will be blank for the source. This can be for a number of reasons such as the authentication failure coming from a non domain joined computer. When this occurs you can use event 4771 to help troubleshoot the lockout.
In the above screenshot, there are multiple authentication failures coming from IPs 192.168.100.11 and .20 for Alonso Hall’s account.