I'm supporting a client who has a Windows Server 2016 setup and they're having a tough time with a new Windows 11 laptop used by a recently hired employee. The user frequently gets locked out of their account, and despite digging through logs and investigating the situation, I haven't been able to pinpoint the problem. I've noticed a lot of Kerberos events (ID 4768) but it's still unclear what's causing the lockouts. I've encountered this issue in another similar situation as well, and I've been at it for a month now without resolution.
5 Answers
If you're using any VPNs or have Wi-Fi settings linked to RADIUS, that might also be worth looking into. Brute force attacks through those could be triggering the lockouts.
Do you happen to have a hybrid Microsoft 365 identity setup? If that's the case, make sure to examine your account lockout threshold; it might be set too low. Many people overlook that a threshold of 5 bad attempts can lead to frequent lockouts, especially with hybrid setups.
Thanks for the tips, everyone! I'll dive into those event logs and check the hybrid setup as well.
Make sure to check for event ID 4740 in the Active Directory logs. This will help identify which device or service is causing the account lockouts. It's a good starting point!
Don’t forget to check the logs across all your devices. Over time, I've found using a centralized system for logs makes this kind of troubleshooting a lot easier.
Often, I find the lockouts are due to users connecting their phones to the Wi-Fi. If they change their password on a device, it can create multiple failed attempts as the device tries to reconnect, which hits the authentication server hard and causes lockouts with minimal logging.
Also, look for event ID 4625 for any failed logon attempts. Sometimes, you need to gather more data to get to the root cause. If you have multiple domain controllers, check logs on all of them, not just the PDC. I’ve been using Microsoft Defender for Identity recently; it helps track account activities and audit logs more easily.