Hey everyone! I've got a bit of a puzzler here. One of our Active Directory accounts keeps getting locked out every few days, and the user actually changed their password recently. We've already looked into a few potential culprits like the Credential Manager, network drive mappings, RDP connections, and even their mobile devices, but found nothing amiss. We checked the security logs on the Domain Controller and found the lockout events, but surprisingly, there are no bad password attempts logged. The user primarily logs in from one computer, which adds to the mystery. I've noticed that similar cases often occur right after a password change, but in this case, the lockouts happen only every couple of days, not frequently. Does anyone have insights on where these bad login attempts might be coming from, or any other causes that could lead to these lockouts? Thanks for your help!
5 Answers
Just a thought, are your domain controllers running Server 2025?
I had a similar situation where Chrome was using cached credentials for a local website. I used the tool linked [here](https://www.microsoft.com/en-us/download/details.aspx?id=18465) to help trace the lockouts, which really made a difference.
Have you checked if the user's wifi might still be using old credentials? Sometimes that can cause issues without being obvious.
Thanks for the tip! We actually use an NPS server for wifi authentication, so usernames and passwords aren’t stored on the wifi connection itself. We've never had lockout issues from there after a password change.
Just a heads-up, this is a common issue. Make sure to check every domain controller for incorrect logins. Sometimes you might miss bad login attempts on DCs where logs aren't being tracked properly.
You might want to look into using the Account Lockout Examiner tool from Netwrix. It's free and helped us track down lockout origins that we couldn't find through AD logs.
Nope, we're actually using Server 2022.