I have a user who recently transitioned from a Windows 10 hybrid join to an Azure join on a brand new Windows 11 device. However, the user's on-prem AD account keeps getting locked out. Is there a specific log I should check that could help identify which app or process is causing these lockouts?
4 Answers
Check log 4740 on the Domain Controller; it gives insights into user lockouts. You could also run a PowerShell script like this one:
```
Function Get-ADUserLockouts {
# Your script details here...
}
Get-ADUserLockouts
``` This will help filter events specific to your user which might show you the source more clearly!
You should definitely check the Event Viewer on your Domain Controller. There, you can find events related to the account lockout which will show you the computer name associated with it. After that, look at that device for potential culprits like cached credentials in Credential Manager, or any scheduled tasks or services running under that user account. VPNs can sometimes kick this off because they might use cached network drive credentials that lead to the AD account getting locked too.
Have you looked into Microsoft’s Lockout tools? They have a user-friendly GUI that simplifies tracking down these types of issues. It could make things a lot easier for you!
Yeah, the DC logs can show the user is locked out but don’t always indicate what caused it. You could try checking that device for security logs that show failed login attempts — that should help you identify the calling application that triggered the lockouts.
Absolutely! Security logs can be a goldmine for information on failed logins, which helps pinpoint the source.