Finding the Root Cause of a Active Directory Account lockout!

This is one of the most common issues i deal with in a day to day basis, if a user is using multiple machines or even a machine and a phone they are likely to have their account locked out. As most people will know this can be fixed by going into AD and clicking the users profile and then clicking unlock. However what if this is occuring often? If you have multiple domain controllers this can be a pain to find out unless you use Microsoft’s AD account lockout tool. When running the tool it will look something like this:

The bit that you will want to focus on is the ‘last bad password’ column, this will show you how to find the source. If it shows bad passwords for multiple DC’s then simply choose the most recent one. From here you will want to go onto the DC that has the most recent one and then open up event viewer then the ‘security’ tab. In here at the time of the lockout an event will appear, to speed up the process i usually search the users name. When you have located the event it will either say the lockout is caused by a VM, end user machine or phone, if it a computer it will provide the name however if it is a phone unfortunately it cannot specify which phone it is.  If it is a VM you will get an IP which you can then use NSLookup in CMD in order to locate the lockout. With the machine name you can simply find the owener and clear the users credentials using credential manager!

If other lockouts occur simply repeat this process.

To download the lockout tool click here.

About the author