When an Active Directory user account is locked, an account lockout event ID is added to the Windows event logs. Event ID 4740 is added on domain controllers and the event 4625 is added to client computers.

Troubleshooting Account locked out; EventID 4740,4625,4771

Download: https://ssurll.com/2vERGT

The lockout event ID provides important details about the lockout, such as the account name, time of the event, and the source computer (caller computer name). These events are helpful for troubleshooting and auditing lockout events.

Auditing is now turned on and event 4740 will be logged in the security events logs when an account is locked out. In addition, the Kerberos logs are enabled which will log authentication failures with the lockout. Sometimes event 4740 does not log the source computer and the Kerberos logs provide additional details.

A domain controller will log event 4740 when an AD account is locked out. This event is not replicated so you either need to search all domain controllers or find the DC that holds the PDC emulator FSMO role.

In the above screenshot, you can see the tool found two locked user accounts, it also displays the lockout time and password last set date. This tool makes it super easy for helpdesk staff to check for locked user accounts, unlock and reset passwords.

Event ID 4625 is logged on the client computer when an account fails to logon or is locked out. This event will be logged for local and domain user accounts. The event is useful for troubleshooting repeat lockouts as it provides more details than the 4740 event. Event ID 4625 is only logged on the computer where the logon attempt was made from.

Knowing how to audit Active Directory lockout events is critical for troubleshooting repeat lockouts. It is also a security best practice to review and monitor failed logon attempts for malicious activity on your network. In this guide, I showed you the lockout event IDs for domain and local user accounts. In addition, I showed you how to filter the logs with PowerShell and by using the AD Pro Toolkit GUI tool.

We recommend monitoring all 4625 events for local accounts, because these accounts typically should not be locked out. Monitoring is especially relevant for critical servers, administrative workstations, and other high-value assets.

We recommend monitoring all 4625 events for service accounts, because these accounts should not be locked out or prevented from functioning. Monitoring is especially relevant for critical servers, administrative workstations, and other high value assets.

I am able to find Audit Failure events (ID 4771) for incorrect username/password, but not when the account is locked out after too many incorrect attempts. So far I've discovered from reading online that the "Audit Account Lockout" group policy (Found at Computer Config > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff) must be set to Failure so that it logs the failures, but it still isn't being logged.

A user account was locked out. Subject: Security ID: SYSTEM Account Name: DC4$ Account Domain: DOMAIN Logon ID: 0x3E7 Account That Was Locked Out: Security ID: DOMAIN\user_here Account Name: user_here Additional Information: Caller Computer Name: DC4

Hi, Since the event log showed that the DC4 is the source DC, i would suggest you enable the following audit policy to get more details : Then, find the 4625 event on the client computer source and check the process of the locked account. Also , would you please what's the ip address displayed in the event 4771:

• Contents: The referenced account is currently locked out and may not be logged on to

• How to Check if an AD User Account is Locked Out?

• Account Lockout Policies in Active Directory Domain

• Account Lockout Event IDs 4740 and 4625

• Get the Source (Computer) of Account Lockouts with PowerShell

• Track AD Lockout Events with the Account Lockout and Management Tools

• How to Find a Program Which Locks User Domain Account?

You can check if the account is locked using the ADUC graphical console or with the Get-ADUser cmdlet from the Active Directory module for PowerShell: var quads_screen_width = document.body.clientWidth;if ( quads_screen_width >= 1140 ) if ( quads_screen_width >= 1024 && quads_screen_width = 768 && quads_screen_width

You can manually unlock an account using the ADUC console without waiting till it is unlocked automatically. Find the user account in AD (use the search option in AD snap-in), right-click, and select Properties. Go to the Account tab and check the box Unlock account. This account is currently locked out on this Active Directory Domain Controller. Click OK.

If the user enters an incorrect password, then the domain controller closest to the user (LogonServer) redirects the authentication request to the DC with the PDC emulator FSMO role (this particular DC is responsible for processing account locks). If authentication fails on the PDC as well, it responds to the first DC that authentication failed. If the number of failed authentication attempts exceeds the value set for the domain in the Account lockout threshold policy, the user account is temporarily locked.

Open the last event with EventID 4625 for your user (Account name). Here you can see that when trying to perform NTLM authentication (Authentication Package: NTLM, Logon Process: NtLmSsp), the account was locked out (Failure Reason: Account locked out, Status: 0xC0000234). The event description contains both the computer name (Workstation Name) and its IP address (Source Network Address).

The list that appears will contain the list of DCs and account status (Locked or Non Locked). Additionally, the lock time and the computer from which this account is locked out are displayed (Orig Lock).

So, we have found from which computer or device the account was locked out. Now it would be great to know what exactly program or process is making failed login attempts and is the source of the account lockout events.

I can confirm that not only eventid 4625 can indicate a failed login but 4673 for example.I searched for the locked-out loginname instead in event viewer, this is how I found the app to blame (it was Fiddler).Anyway, the article set me to the right direction, so thanks!

A user account was locked out.Subject:Security ID: SYSTEMAccount Name: DC4$Account Domain: DOMAINLogon ID: 0x3E7Account That Was Locked Out:Security ID: DOMAIN\user_hereAccount Name: user_hereAdditional Information:Caller Computer Name: DC4

Everytime a user enters the wrong password when logging on using a resource that authenticates to Active Directory, the badPWDCount attribute has a value that is incremented. This value is incremented on the domain controller that the user is attempting to authenticate to. The Domain Controller then retries that authentication attempt with the PDC, since PDC is urgently replicated all password changes. If the authentication attempt on the PDC fails, the PDC increments its copy of the badPWDCount attribute for that user. This structure allows the badPWDCount to increment even if different domain controllers are used for authentication. Once the badPWDCount attribute reaches the Account lockout threshold the account will be locked out.

The Account Lockout tool only shows where the account got locked out, but it does not give more details than that. I used EventCombMT tool also and still the same. This is the log from the EventCombMT tool.

If you have port forwarding enabled for RDP turn it off! also, it could be a service, mapped drive with invalid credentials on a computer somewhere on the network.Check that you don't have any locked remote desktop sessions using the admin account and the old password, tryPsLoggedOn.

Please follow the article as below to have a try troubleshooting:Troubleshooting account lockout the PSS way: -us/archive/blogs/instan/troubleshooting-account-lockout-the-pss-wayTroubleshoot account lockout issue in the AD using LockoutStatus, EventCombMT and Netlogon: -advice.org/active-directory/how-to-troubleshoot-account-lockout-in-active-directory/

1. What account is locked out? Built-in Administrator account or other domain user account in Domain Admins group?I am a domain admin and my Domain Admin Account is locked out3. According to "I turned on Netlogon and see that it is happening on a file server as shown below. " , what do we mean about this sentence?I turned on Netlogon on the domain controllers - From the log shown below it looks like it was happening from a File server (via HFLS01) and on another occassion it was happening on a Citrix server PVS server shown below:

I have an IceWarp Mail Server and sometimes the accounts were locked because of bad passwords on mobile phones, because we change our password every 120 days through our Domain policy.But, this time the problem was not with the mail server, and several accounts were locked every 15 minutes.

I also found funny situations when you allow specific users, like developers, to log in to their test servers. And then they stay logged in forever. In the meantime, they are forced to change the password. As you already got a clue, their accounts will be locked whenever that server try to verify logged in account. 2ff7e9595c