Active Directory Account Lock Events
A common issue that troubles both helpdesk teams and administrators is account locks on Active Directory. By default, when a number of failed authentication attempts is reached, the account is locked for a time period. Since there may services that depend on Active Directory, the user might have tried to login to a workstation, a web application or even forgotten to update the password on a mobile device connected to Exchange.
In order to troubleshoot the issue, the first step is to find the computer that the failed authentication attempt was performed against. Knowing the computer will most probably lead to the service and in turn the solution of the problem.
Having a user account that is currently locked is not a big deal since only a user is affected. When it comes to service accounts that my perform various tasks, thing are getting more serious.
The newest version of my Active Directory module for Powershell (version 1.2.1) includes an new function called "Get-ActiveDirectoryAccountLockEvent" that will help you troubleshoot account locks. When an account is locked, an event is logged on the domain controller with id 4740 that contains valuable information. All the function does is to get the list of the domain controllers on the domain and then get the above events from all the domain controllers.
Let's see an example! I've locked my account, "lab\cpolydorou" on a workstation called "windows10". I logged on one domain controller, fired up PowerShell and imported the "ActiveDirectory" and "CPolydorou.ActiveDirectory" modules. I then called the function to get all the accounts that were locked out.
Have fun!
In order to troubleshoot the issue, the first step is to find the computer that the failed authentication attempt was performed against. Knowing the computer will most probably lead to the service and in turn the solution of the problem.
Having a user account that is currently locked is not a big deal since only a user is affected. When it comes to service accounts that my perform various tasks, thing are getting more serious.
The newest version of my Active Directory module for Powershell (version 1.2.1) includes an new function called "Get-ActiveDirectoryAccountLockEvent" that will help you troubleshoot account locks. When an account is locked, an event is logged on the domain controller with id 4740 that contains valuable information. All the function does is to get the list of the domain controllers on the domain and then get the above events from all the domain controllers.
Let's see an example! I've locked my account, "lab\cpolydorou" on a workstation called "windows10". I logged on one domain controller, fired up PowerShell and imported the "ActiveDirectory" and "CPolydorou.ActiveDirectory" modules. I then called the function to get all the accounts that were locked out.
PS C:\> Get-ActiveDirectoryAccountLockEvent | ft
Account Timestamp Domain Controller Caller Computer
------- --------- ----------------- ---------------
cpolydorou 27/5/2017 7:44:43 μμ DC3 WINDOWS10
cpolydorou 27/5/2017 7:44:43 μμ DC1 WINDOWS10
PS C:\>
Account Timestamp Domain Controller Caller Computer
------- --------- ----------------- ---------------
cpolydorou 27/5/2017 7:44:43 μμ DC3 WINDOWS10
cpolydorou 27/5/2017 7:44:43 μμ DC1 WINDOWS10
PS C:\>
Have fun!
