Finding why a user is locked out in Active Directory

A user's account keeps getting locked out in Active Directory. It's probably caused by an app that's using Windows authentication to connect to SQL Server.

Is there a way to find out which app is causing it and why the app might be causing failed login attempts?


Solution 1:

Have a look at the Account Lockout and Management Tools available on the Microsoft Download Center. Specifically LockoutStatus.exe and EventCombMT.exe. You might not be able to exactly pinpoint where the lockout is coming from but you should be able to narrow it down quite a bit to make it easier to see.

Here are a couple more Technet articles that might help:
Maintaining and Monitoring Account Lockout
Account Lockout Tools (description of the tools in the download linked to above)
Using the checked Netlogon.dll to track account lockouts
Enabling debug logging for the Net Logon service

Solution 2:

Basically you need following information

  1. From which machine account is getting locked out
  2. What process or activity on that machine is involved in lockout

To find first, once account is locked out, go to Primary Domain controller of your domain and look for Event id 644 in security log, which will give the name of caller machine name. Note down the machine name and time at which event was generated.

To find process or activity, go to machine identified in above event id and open security log and search for event ID 529 with details for account getting locked out. In that event you can find the logon type which should tell you how account is trying to authenticate.

Event 529 Details

Event 644 Details

Solution 3:

I've been working on the service desk for about 4 years now, if none of the above solve your lockout issues try placing the affected user in a "group policy not applied" section of AD (to enable control panel access from their account) and then get them to log in and go to the control panel, search for Credentials and then click "Credentials". What will come up is all the computers stored credentials (usually there is one that is out of date i.e. incorrect), remove all the enterie's from the "vault" and that should resolve the issue with no further problems. The only side effect from this is that the user will have to reenter their credentials once the next time they use the application. Hope that helps some of the people out there

Solution 4:

I had a student in a PowerShell class ask a similar question. He needed to know how to locate the client where accounts were being locked out on. We found the answer using a combination of auditing and PowerShell. Below is a link to the instructions and code.

http://mctexpert.blogspot.com/2012/08/where-did-users-account-get-locked-out.html