AD Account Keeps Locking Out

Sometimes there are situations when AD user account keeps locking out, this happens when you try to log on to a domain computer and getting an error on the login screen: The referenced account is currently locked out and may not be logged on to. This notification means that the account is automatically temporarily blocked by the Active Directory domain Security Policy and can’t be used to logon to the domain computer.

The message about the account lockout looks as shown on the screenshot below:

ad account keeps locking out

In this case, the account was blocked due to several attempts to enter the wrong password.

Active Directory Account Lockout Domain Policy

The number of attempts to enter the wrong password is specified in the domain policy Account lockout threshold, which is located in the following GPO section Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.

Most often, the account lockout settings in the domain are configured through the Default Domain Policy. You can change the account lockout policy in the domain according to these instructions.

In addition to the Account lockout threshold policy, another policy in the section Account lockout duration might be of interest. This policy determines for what time the account is locked out.

In our example, the user account lockout settings in the domain are configured as follows:

  • Account lockout threshold — 10 invalid logon attempts;
  • Account lockout duration — 10 minutes;
  • Reset account lockout counter after — 10 minutes.

ad account keeps locking

Thus, if you’ll wait for 10 minutes after the lock, the account will be automatically unlocked.

If you don’t want to wait for automatic unlocking, administrator needs to find the user account in the Active Directory Users and Computers console. In the Account tab check the box Unlock account tab. This account is currently locked out on this Active Directory Domain Controller and press Ok.

active directory account keeps locking

Note. Or you can use the PowerShell cmdlet Unlock-ADAccount to unlock a user account: Unlock-ADAccount jjackson –Confirm

How to Find Account Lockout Source in Domain?

But in some cases, the locking of the accounts takes place without any apparent reason. In such a situation user reports that did nothing and was never entering the wrong password, but his account for some reason is blocked. The administrator can manually remove the lock at the request of the user, but after a while the situation repeats again.

In this case you must first determine the name or IP address of the computer/server from which the lock occurs. To do this check if the Audit User Account Management policy enabled on the domain controllers in the Default Domain Controllers Policy (Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy section).

domain account keeps locking

The event of locking a domain account can be found in the Security log (Event Viewer > Windows Logs) on the domain controller. Right click Security item and select Filter Current Log.

ad account keeps getting locked out

Filter the security log by the event with Event ID 4740.

account keeps getting locked out in active directory

You will see a list of events of locking domain user accounts on this DC (with an event message A user account was locked out). Find the last entry in the log that contains the name of the desired user in the Account Name value. The name of the computer from which the lock was made is specified in the Caller Computer Name value. In this case, the computer name is LON-DC01.

account keeps getting locked out

Get Account Lockout Source Using PowerShell

Also, you can find the account lockout source on the DC with the PDC FSMO role using the PowerShell. Use the following code to list the last account lockout events on the DC:

$properties = @(

'TimeCreated',

@{n='Account Name';e={$_.Properties[0].Value}},

@{n='Caller Computer Name';e={$_.Properties[1].Value}}

)

Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4740} | Select $properties

domain account keeps locking out

You can get the account lockout source from the ‘Caller Computer Name’ field.

Common Causes of Account Lockouts

Most often, the account lock begins after the user has changed the domain password. A periodic account lockout can be caused by different reasons. Most commonly, in a production environment, account lockout events are associated with the following causes:

  1. User errors when typing a password. The user is mistaken when entering a password or forgot the password that was recently changed;
  2. An unclosed RDS session—usually happens if the user closed (disconnected) remote session instead of logging out. You can’t prevent such a problem by configuring force Log off Idle Remote Desktop sessions policy in the domain. This can be configured using the policy Set time limit for active but idle Remote Desktop Services sessions in the GPO section Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits;
  3. Saved user password in Windows Services. Don’t use user account to run services on domain servers/computers. Use the separate service account instead (with the password set to never expire) or group Managed Service Accounts;
  4. Saved user credentials in the Task Scheduler jobs. As with services, user accounts are often used to run the scheduler task. Use service accounts to run scheduled tasks;
  5. Mobile devices with saved user credentials—check email client setting on your mobile device for saved AD credentials (like, Outlook, ActiveSync, etc.). The saved passwords for Wi-Fi connections can also be assigned to this category (if you use the Wi-Fi authentication with Windows Active Directory via the Radius server);
  6. Saved user password in the Windows Credential Manager.

Using Account Lockout Tool to Track Lockout Events

To find the account lock source on all domain controllers, you can use the convenient lockout tool—utility LockoutStatus.exe (Account Lockout and Management Tools).

Download the Microsoft Account Lockout and Management Tool (ALTools.exe), extract the archive and run the LockoutStatus.exe utility. Select menu File > Select Target and enter needed username (SAMAccountName).

active directory account keeps locking out

If you run the Microsoft Account Lockout Status utility under non-privileged user account, check the box “Use Alternate Credentials” and specify account credentials with domain admin privileges. This is necessary to connect to AD domain controllers and select account locking events from the Security log. The LockoutStatus.exe utility does the same thing—it searches for events with the EventID 4740 from the domain controller logs and displays the total data for the events and user account.

Here you can see the current user state on all DCs (Locked), Lockout Time, value of Bad Password Count on each DC and the name of the computer from which the lock occurred (Orig Lock).

user account keeps getting locked out

You can unlock the user account directly from the tool. To do this, select a DC, right-click user and select ‘Unlock Account’. This change will be instantly replicated to all DCs in the domain and the user can log on to the domain computers. You can also change the user password by selecting the ‘Reset User’s Password’ menu item.

ad account keeps locking out windows 10

That’s all! Hope this was useful to fix the issues when AD account keeps locking out!

Cyril Kardashevsky

7 comments

  1. So, we know the where the account lockout originated from which was another domain controller. But, we are still having issues and how do we fix it? I rebooted the domain controller also and re-ran the Account Lockout tool and it still shows the same domain controller and account is locked. As, I have been having this account lockout happening for the last 3 days and I am not sure where exactly the issue is and how to fix it?

    1. Did you find a solution for this? I am having the same issue for a particular user and I can’t tell why their account is being locked out.

  2. The registry path is not consistent with the one found in Windows 2012 R2. A good thing could be to mention which OS the instructions is valid for.
    The most similar path I found would be:
    Computer Configuration > Policies > Windows Settings > Security Settings > Local policies > Audit Policy > Audit account management.

    In my case, the perpetrator was MSTSC… sigh… no IP no Computer Name… Could be anyone…

    1. I have exactly the same issue for some users…no credentials saved….no other devices connected..MSTSC in use…

      Thank’s to reopen the topic or publish the solution

      Regards

  3. After looking at the accounts the GPO requires strong password changes every 30 days. When this happens users need to update their cellphones and iPads, etc. If not these devices try logging in with the old password and they get locked out after the device makes 3 attempts (also set by GPO).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.