I'm at my wit's end trying to figure out why one of our accounting staff members keeps getting locked out of her Active Directory account, but it seems to only happen between 2 and 4 AM. She's not working during those hours, plus she insists she doesn't have any personal devices linked to the company systems. I've tried a few things already:
1. Ran Lockoutstatus.exe, which indicated one of our Domain Controllers, but checking the security logs didn't pinpoint the source.
2. Looked at the scheduled tasks on her workstation, and there's nothing set for those hours.
3. Even disabled her account on our Wi-Fi controller, suspecting an old phone, but the lockouts continued.
This issue started about three weeks ago, right after we migrated some shared mailboxes to M365, but she wasn't involved in that project. It's becoming a frustrating routine as I keep waking up to her helpdesk tickets about this! What am I overlooking?
6 Answers
There’s a small problem with the lockout itself, but a bigger issue if you can't track down the logins. You might want to consider implementing centralized logging with a tool like Wazuh. It’s free to deploy and could make future troubleshooting easier.
You should definitely check the logs of all your Domain Controllers. They typically have the source IP which can lead you towards the culprit. If you’re not finding anything, you might want to enable more auditing. This article is helpful: 'Find the source of AD account lockouts'—check it out for more ideas!
Since this is happening at a set time, it seems like there might be an automated task or program accessing her account. You can check the Event Viewer on the DC and filter for event ID 4625, as it should show the source IP. That would clarify which device is causing the lockout.
Exactly! Just make sure to attach the relevant logs if you find anything interesting.
It could be that a laptop she used once is waking up to perform updates or tasks, and the cached credentials are causing her account to lock. I've had similar issues where I had to check both of our Domain Controllers to find an old device doing the same.
Good point! Make sure to look at her AD properties because I bet her password was changed about three weeks ago as well.
Since she works in accounting, check if there are any scheduled reports running from a server during those hours. It’s possible something could be triggering the lockouts.
Have you checked if any personal devices have been reused? Sometimes old devices or tablets can cause issues like this, especially if they were logged in with her credentials.
Absolutely! Look for login failure logs (event ID 4625); those will show what device attempted to log in.