How to use account lockout status in Active Directory
Get it Done with ADAudit PlusNative auditing
Microsoft provides an AD account lockout tool to check the lockout status. This tool can be downloaded here. After installing the tool, go to the folder you selected to extract the tool's files. The LockoutStatus.exe tool will help you find the source of an account lockout and resolve it.
Before getting started, make sure that your audit policies are set to audit logon events. To do this:
- Go to the Group Policy management console → Computer configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy.
- Enable Audit account logon events and Audit logon events. Turn on auditing for both successful and failed events.
Using the account lockout and management tool:
Run the LockoutStatus.exe tool, and go to File → Select target.
Type the user's login name or sAMAccountName.
Enter the domain name.
Click OK to see the lockout status of the user you selected.
The following details will be displayed:
User State – Tells you if the account is locked.
Lockout Time – Time at which the account got locked out.
Org Lock – Domain Controller in which the lockout happened.
Finding the source of the lockout:
- Go to the domain controller that the lockout status displayed.
- Open the Event Viewer, and search the logs for Event ID 4740.
- The log details of the user account's lockout event will show the caller computer name.
- Go to this caller computer, and search the logs for the source of this lockout.
- Search the logs for the events that happened around the time when the user was locked out.
- Check the user's recent logon history, login attempts, services, and application using the user account's credentials, scheduled tasks, mapped drives, etc.
- If any of the above are using a stale password, update the user's password, and force replication.
ADAudit Plus: Account lockout tool
Unlike the LockoutStatus tool provided by Microsoft, where you need to jump between multiple systems and consoles to pinpoint the source of lockout, ADAudit Plus allows you to analyze account lockouts in a single click. The who, when, where, and why of every account lockout is detailed in neat reports. These reports are collected in real time and can be exported to formats including CSV, PDF, XML, and HTML.
These reports provide the:
- Name of the user that got locked out
- Domain controller and caller computer the user got locked out from
- Time of lockout
- Previous login attempts of the user
- Details of services, mapped drives, and applications using the user account's credentials
Get instant alerts when a privileged user is locked out or if the volume of lockouts is too high. These alerts can also be sent straight to the admin's or technician's email or mobile device via SMS from ADAudit Plus. With this AD lockout tool, you can find and resolve account lockouts in less than a few minutes.
Native auditing becoming a little too much?
Simplify file server auditing and reporting with ADAudit Plus.
Download for Free