I've been dealing with a frustrating issue for the past few weeks: one of our users keeps getting locked out of their Active Directory account! The lockouts are happening every 20 minutes to an hour, and I'm not sure how to fix it.
I checked the Event Viewer and noticed that the lockouts mainly show on the server. I tried clearing the credentials from the Credential Manager, hoping that would help, but it hasn't made a difference. The user even changed their password since this all started, yet there's been no improvement.
They access Remote Desktop Services from their laptop for work resources, so I also cleared the credentials from their remote session and laptop—but the problem persists. The only lockout on their laptop occurred once, and since then, it has only shown lockouts from the server. Does anyone have any advice on how to resolve this?
3 Answers
Most of the time, it’s another device trying to log in with old credentials, like a phone or tablet. You should download Microsoft’s Account Lockout Tools if you haven’t already. It will help you identify which Domain Controller is causing the lockout. Once you know which one, look for event 4740 and check the 'caller computer name' for clues on what might be trying to log in. Then investigate things like scheduled tasks, cached credentials, or synced mobile devices. It might be a hassle, but you’ll get to the bottom of it!
You might want to run some specific PowerShell commands like Get-WinEvent -FilterHashtable @{Logname='Security'; id=4740} on your Primary Domain Controller. This will give you more detailed logs related to account lockouts. Also, keep an eye out for EventID 4625 which can give you insights into failed login attempts.
I tried it, but it showed an error saying I must specify at least one log, provider, or path key-value pair.
I ran into the same issue! Make sure you're inputting the command correctly; it should work fine!
Check the Domain Controller event logs. The user’s account is likely trying to authenticate from some device, and the DC logs will pinpoint where it’s coming from. That’s your first step!
Got it! The caller computer name is the remote server they connect to from home.
Thank you! Should I install those tools on the Domain Controller, though?