Active Directory Account Lock Events

A common issue that troubles both helpdesk teams and administrators is account locks on Active Directory. By default, when a number of failed authentication attempts is reached, the account is locked for a time period. Since there may services that depend on Active Directory, the user might have tried to login to a workstation, a web application or even forgotten to update the password on a mobile device connected to Exchange.

In order to troubleshoot the issue, the first step is to find the computer that the failed authentication attempt was performed against. Knowing the computer will most probably lead to the service and in turn the solution of the problem.

Having a user account that is currently locked is not a big deal since only a user is affected. When it comes to service accounts that my perform various tasks, thing are getting more serious.

The newest version of my Active Directory module for Powershell (version 1.2.1) includes an new function called "Get-ActiveDirectoryAccountLockEvent" that will help you troubleshoot account locks. When an account is locked, an event is logged on the domain controller with id 4740 that contains valuable information. All the function does is to get the list of the domain controllers on the domain and then get the above events from all the domain controllers.

Let's see an example! I've locked my account, "lab\cpolydorou" on a workstation called "windows10". I logged on one domain controller, fired up PowerShell and imported the "ActiveDirectory" and "CPolydorou.ActiveDirectory" modules. I then called the function to get all the accounts that were locked out.

PS C:\> Get-ActiveDirectoryAccountLockEvent | ft
Account     Timestamp            Domain Controller Caller Computer
-------     ---------            ----------------- ---------------
cpolydorou  27/5/2017 7:44:43 μμ DC3               WINDOWS10
cpolydorou  27/5/2017 7:44:43 μμ DC1               WINDOWS10

PS C:\>  

Have fun!

Popular posts from this blog

Syslog Message Collection for OMS from sources that do not support the agent

How to Configure Message Forwarding on a Mailbox Level

IIS Client Certificate Revocation Check Disable