Other Domain Ad Lockouts

if you have access to MS analytics give it a whirl, if not download a trial of Nagios Log Manager, I think you can download an OVA etc for it if not you will only need a little linux knowledge to get it up and running, this will output events into a nice searchable format within Nagios which you can access via the webgui. As a system Administrator this is one tool I use to locate specific issues such as this. For instance a service account kept locking out every 5 - 10 mins, using this tool I could search every host that was using this service account to see which was not authenticating properly therefore locking the account out. This would work equally well for domain users who have access to mail etc via a smartphone in the event that they have updated a password but not changed it on their mobile device which again would cause a lockout depending on the authentication rules in your GPO

Hope this helps

- - - Updated - - -

Also forgot to add you can use simple search strings to search on the AD user instead of trawling through event logs, it will show all successful and unsuccessful authentication attempts and the host/device they were made from making it very simple for you to find where your problem is

Hummmmm.....

Firstly, I would advise to check for Virus / Malware etc on your network. as the reason for frequent lockouts could be due to a worm/Trojan infection.


Secondly, depending upon your requirements you can try using below mentioned tools:

Try Lockout Status tool from Microsoft FREE for basic information about locked out account of a user on a Domain.

Download Account Lockout Status (LockoutStatus.exe) from Official Microsoft Download Center



Try Free tool from Netwrix : Can Report / Notify (Email) / Unlock / and much more...

Netwrix Auditor Lockout Examiner | Free Lockout Tool for AD


Dos command... Create a batch file of user or multiple users whose accounts are being locked out and run as schedule job to auto run this batch file to auto unlock by schedule job when user account is locked .


net user userlogonname0 /DOMAIN /ACTIVE:YES
net user userlogonname1 /DOMAIN /ACTIVE:YES
net user userlogonname2 /DOMAIN /ACTIVE:YES

userlogonname0 change it with actual user logon names.


Thanks,

This is always a headache for IT admins but here is a simple way of tracing:

You'll need to know which domain controller the user was originally locked out on, if your environment is too complicated to know that, use Microsoft's lockout tools to check the time and source

On the domain controller in question, go to event viewer -> Security and filter the event log by Event ID 4740

This should tell you where the user was locked out and give you a hostname.