Skip to content

Troubleshoot AD Account Lockouts

In this guide, you will learn how to use the AD Lockout Troubleshooter to find the source of account lockouts.

Requirments

  1. You will need permission to read the event logs from all domain controllers
  2. Audit Log policy needs to be configured. See Audit Log Settings for step-by-step instructions.
  3. The tool will query the event logs using RPC and the dynamic port range. Port range TCP 49152-65535. This only needs to be opened from the computer running the tool to the DCs.

Step 1. Click on Lockout Troubleshooter

This tool is located in the tools section on the “User Management” page.

Step 2. Select a date range

Select the date range and click run. If you have a lot of users and multiple domain controllers you might want to limit the date range as it can pull in a lot of events.

The tool will collect the events (4771 and 4740) from all your domain controllers and display them in the results column.

lockout-troubleshooter

Step 3. Review the Logs

For example, I can see Alonso Hall had an account lockout event (4740) and the source computer was PC1.

event 4740

There will be times when an account is locked out but event 4740 will be blank for the source. This can be for a number of reasons such as the authentication failure coming from a non domain joined computer. When this occurs you can use event 4771 to help troubleshoot the lockout.

event 4771

In the above screenshot, there are multiple authentication failures coming from IPs 192.168.100.11 and .20 for Alonso Hall’s account.