Friday, December 18, 2020

How to Find the Source of Account Lockouts in Active Directory domain?

Account Lockout Event ID 4740

First of all, an administrator has to find out from which computer or server occur bad password attempts and goes further account lockouts.

If the domain controller closest to the user determines that the user is trying to log in with invalid credentials, it redirects the authentication request to the DC with the PDC emulator FSMO role (this particular DC is responsible for processing account locks). If authentication fails on the PDC, it responds to the first DC that authentication is not possible. If the number of unsuccessful authentications exceeds the value set for the domain in the Account lockout threshold policy, the user account is temporarily locked. 

In this case, an event with EventID 4740 are recorded to the Security log of both domain controllers. The event contains the DNS name (IP address) of the computer from which the initial request for authorization of the user came. In order not to analyze the logs on all DCs, it is easiest to look for the lockout events in the security log on the PDC domain controller. You can find the PDC in your domain as follows:

(Get-AdDomain).PDCEmulator

The domain account lockout events can be found in the Security log  on the domain controller (Event Viewer -> Windows Logs). Filter the security log by the EventID 4740. You should see a list of the latest account lockout events. From the topmost, scroll through all the events and find an event that indicates that the account of the user you are looking for (the username is listed in the Account Name value and the event description “A user account was locked out”).

Note. In a large AD environment, a large number of events are written to the security log on the on domain controllers, which are gradually overwritten by newer ones. Therefore, it is advisable to increase the maximum log size on DCs and to start the for the lockout source as soon as possible.

Active Directory Account Domain Controller Lockout Event ID 4740

Open this event. The name of the computer (server) from which a lockout has been carried out is specified in the field Caller Computer Name. In this case the computer name is TS01.

 

Ref: http://woshub.com/troubleshooting-identify-source-of-active-directory-account-lockouts/