How to resolve AD account lockout issue

As a system administrator there will be times that user will be contacting you for unlocking their AD account when they get locked out.Usually unlocking their AD account from  Active Directory Users and Computers will resolve the issue.But there will be times when some user's complaining their account is getting locked out frequently  even after unlocking AD account.In worst cases.their account will be getting locked out multiple times within few minutes even after unlocking.I have come across several situations like this

Below is the procedure I used to follow to find out the such frequent AD lockout issues,If you have enough privilege you can check all the details below mentioned from LockoutStatus.exe itself.If you don't have enough privilege you may need to login to the AD server to continue troubleshooting

1.Download and Install Account Lockout Status (LockoutStatus.exe) from here 
After Installation default location of LockoutStatus will be here - C:\Program Files (x86)\Windows Resource Kits\Tools
Double-click LockoutStatus
On the File menu, click Select target.

Type the AD username of the user you want to find  AD lockout and Enter your domain name then click OK

Then you can see the list of all AD servers in your domain and many other details Including the bad password counts etc.In that list there was a tab called Orig Lock.Below that tab  you can see the AD server were user is getting lockout

2.Login to that AD server and go to event viewer (From Start > Type "Event viewer")
3.In event viewer go to Windows logs > Security 

4.Right click on "security" and select "Filter current logs"

5.In place of <All Event ID> type 4740 and Click OK [Event ID 4740 - A user account was locked out]

6.You can see the list of user lock out happened in that AD server ,Search for the recent event to find out the the server/Desktop where the users account is getting continuously locking out.Double click on the recent event ID and there will be a pop-up window which will show a message like below

 In above case account lockout of USER shabeer was happening in FILESERVER

7.Log into that server/Desktop where account lockout is happening(here its FILESERVER)and go to task manager >users tab and see if there was a disconnect session from the user who is getting locked out.If there is a disconnect session from user,Logout user from that machine (Sometimes user will just disconnect a RDP session to that server without proper log off and this may cause account lockout issue)

8. In Most cases issue will be resolved by this.If there is no session of the user.Check the server for any application running it which is using AD credentials.If you found any such applications logout user from it.
9.You can also remove the previous password cache which may be used by some applications and therefore cause the account lockout problem by below steps

1. Click Start, click Run, type “control userpasswords2″ (without the quotation marks), and then click OK.
2. Click the Advanced tab.
3. Click the “Manage Password” button.
4. Check to see if these domain account’s passwords are cached. If so, remove them.
5. Check if the problem has been resolved now.


Post a Comment