Tracking Down Cause of Locked Active Directory Account

Active Directory Microsoft Windows

With the prevalence of mobile devices this is becoming more of a problem, you have a user who comes in every day and swears blind nothing has the wrong password, but something is locking them out.

Here is how to fix it:

  1. Firstly you must ensure that you are logging the stuff correctly on your domain controllers. Ensure your “Default Domain Controller Policy” has these settings, or create a new GPO at this level and then set the settings under the GPO to this:
Default Domain Controllers Policy->Policies->Windows Settings->Security Settings->Local Policies/Audit Policy

Audit Account Logon Events = Failure

Audit Account management = Success, Failure

Audit Directory Service Access = Failure

Audit Logon Events = Failure

Audit Object Access = No Auditing

All other settings should not be set to "undefined."
  1. If you have made changes, wait for it to apply the policy shouldn’t take long.
  2. You’ll see new “Audit Failure” events logged on the domain controller “Security” log now all being well, these are people getting it wrong.
  3. Now download the Account Lockout tool:
  4. Run this on the server, selecting the target user (person being locked out) and domain, this will then tell you which domain controllers that are seeing the lock out.
  5. Hook onto that server to investigate the event log, specifically the “Security” log.
  6. Now to filter things you can do two things, one: click on “Filter Current Log..” and enter the event ID: as 4771 (Windows 2008)

    Alternatively you can click on the “XML”:
  <Query Id="0" Path="Security">

    <Select Path="Security">*[EventData[Data[@Name='TargetUserName']="USERNAME"]]</Select>

This will show you where the lockouts are coming from and the IP address of the device, then from there you can track it down through DHCP to get a Mac address.