AD Account Keeps Locking Out

Sometimes there are situations when the AD user account keeps locking out. This happens when you try to log on to a domain computer and getting an error on the login screen: The referenced account is currently locked out and may not be logged on to. This notification means the account is automatically temporarily blocked by the Active Directory domain Security Policy and can’t be used to log in to the domain computer.

The message about the account lockout looks as shown on the screenshot below:

ad account keeps locking out

In this case, the account was blocked due to several attempts to enter the wrong password.

Active Directory Account Lockout Domain Policy

The number of attempts to enter the wrong password is specified in the Account lockout threshold Group Policy option, which is located in the following GPO section Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy.

Most often, the account lockout settings in the domain are configured through the Default Domain Policy. You can change the account lockout policy in the domain.

In addition to the Account lockout threshold policy, another policy in the section Account lockout duration might be of interest. This policy determines for what time the account is locked out.

In our example, the user account lockout settings in the domain are configured as follows:

  • Account lockout threshold — 10 invalid logon attempts;
  • Account lockout duration — 10 minutes;
  • Reset account lockout counter after — 10 minutes.

Account Lockout policy helps to protect your domain from brute-force attacks. A brute-force script won’t be able to brute-force a large number of password combinations, because after every 10 attempts to brute-force passwords, the target account will be locked.

ad account keeps locking

Thus, if you’ll wait for 10 minutes after the lock, the account will be automatically unlocked.

Starting with the Active Directory version on Windows Server 2008, you can create an individual passwords and lockout policies in a domain for specific users and groups. For this, Fine Grained Password Policies (FGPP) are used. You can check if a custom Password Policy Object (PSO) is being applied to a specific user with the following PowerShell command (the same command will return the lockout settings for that user):

Get-ADUserResultantPasswordPolicy -Identity m.becker

To list the lockout settings in the Default Domain Policy, run the command:

Get-ADDefaultDomainPasswordPolicy | select *lockout*|ft

this account is currently locked out on this active directory domain controller

If LockoutDuration = 0, then such an account will never be automatically unlocked. Only the domain administrator can remove the lock.

If you don’t want to wait for automatic unlocking, the administrator needs to find the user account in the Active Directory Users and Computers console. In the Account tab, check the box Unlock account tab. This account is currently locked out on this Active Directory Domain Controller and press Ok.

user keeps getting locked out of domain

You can check if the AD account is locked out using the PowerShell command:

Import-Module ActiveDirectory

Get-ADUser -Identity m.becker -Properties LockedOut | Select-Object samaccountName,Lockedout

user account keeps getting locked out active directory

The Search-ADAccount cmdlet allows you to display information about all locked accounts in a domain:

Search-ADAccount -LockedOut -UsersOnly | Select-Object Name, SamAccountName, Lockedout

this account is currently locked out on this domain controller

Note. Or you can use the PowerShell cmdlet Unlock-ADAccount to unlock a user account:

Unlock-ADAccount jjackson –Confirm

If you want to unlock all accounts at once, run:

Search-ADAccount –LockedOut -UsersOnly | Unlock-ADAccount

How to Find Account Lockout Source in Domain?

But in some cases, the locking of the accounts takes place without any apparent reason. In such a situation users report that did nothing and were never entering the wrong password, but their account for some reason is locked. The administrator can manually remove the lock at the request of the user, but after a while, the situation repeats.

In this case, you must first determine the name or IP address of the computer/server from which the lock occurs. To do this check if the Audit User Account Management policy is enabled on the domain controllers in the Default Domain Controllers Policy. Start the Group Policy Management Console (gpmc.msc) and go the Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy section

Enable the checkboxes: Define these policy settings, Audit these attempts: Success and Failure. Save the changes in the GPO.

account getting locked out frequently in active directory

You need to look for domain account lockout events on the PDC domain controller. Use the following PowerShell command to locate the domain controller running the PDC Emulator role:

get-addomain | select PDCEmulator

ad account keeps locking out windows 10

Log on to the PDC and open the Event Viewer (eventvwr.msc). Expand Event Viewer > Windows Logs > Security. Right-click the Security item and select Filter Current Log.

active directory account keeps getting locked

Filter the security log by the event with Event ID 4740.

domain account keeps getting locked out

You will see a list of events when locking domain user accounts on this DC took place (with an event message A user account was locked out). Find the last entry in the log containing the name of the desired user in the Account Name value. The name of the computer from which the lock was made is specified in the Caller Computer Name value. In this case, the computer name is LON-DC01.

ad account getting locked out frequently

Get Account Lockout Source Using PowerShell

Also, you can find the account lockout source on the DC with the PDC FSMO role using PowerShell. Use the following code to list the last account lockout events on the DC:

$properties = @(

'TimeCreated',

@{n='Account Name';e={$_.Properties[0].Value}},

@{n='Caller Computer Name';e={$_.Properties[1].Value}}

)

Get-WinEvent -FilterHashTable @{LogName='Security'; ID=4740} | Select $properties

domain account keeps locking out

You can get the account lockout source from the ‘Caller Computer Name’ field.

You can find the sources of lockout events for a specific user in the last 2 days using the command:

$username = ‘m.becker’

$pdcname=(get-addomain).PDCEmulator

$Date = (Get-Date).AddDays(-2)

Get-WinEvent -computername $pdcname -FilterHashtable `

@{logname='security';id=4740;data='m.becker'; StartTime=$Date} |`

Select-Object -Property timecreated,`

@{label='username';expression={$_.properties[0].value}},`

@{label='computername';expression={$_.properties[1].value}}

user account keeps getting locked out

Common Causes of Account Lockouts

Most often, the account lock begins after the user has changed the domain password. A periodic account lockout can be caused by different reasons. Most commonly, in a production environment, account lockout events are associated with the following causes:

  1. A brute-force attack is actually being performed on your domain. Find and disable the source computer according to this guide;
  2. User errors when typing a password. The user is mistaken when entering a password or forgot the password that was recently changed;
  3. An unclosed RDP/RDS session—usually happens if the user closed (disconnected) remote session instead of logging out. You can’t prevent such a problem by configuring the force Log off Idle Remote Desktop sessions policy in the domain. This can be configured using the policy Set time limit for active but idle Remote Desktop Services sessions in the GPO section Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits;
  4. Saved user password in Windows Services. Don’t use the user account to run services on domain servers/computers. Use the separate service account instead (with the password set to never expire) or group Managed Service Accounts;
  5. Saved user credentials in the Task Scheduler jobs. As with services, user accounts are often used to run the scheduler task. It is better to use service accounts to run scheduled tasks;
  6. Mobile devices with saved user credentials—check email client settings on your mobile device for saved AD credentials (like Outlook, ActiveSync, etc.). The saved passwords for Wi-Fi connections can also be assigned to this category (if you use the Wi-Fi authentication with Windows Active Directory via the Radius server);
  7. Saved password in browsers;
  8. Saved user password in the Windows Credential Manager. Open the Credential Manager (rundll32.exe keymgr.dll, KRShowKeyMgr) and remove all the saved credentials.

Using Account Lockout Tool to Track Lockout Events

To find the account lock source on all domain controllers, you can use the convenient LockoutStatus.exe tool (Account Lockout and Management Tools).

Download the Microsoft Account Lockout and Management Tool (ALTools.exe), extract the archive and run the LockoutStatus.exe utility. Select menu File > Select Target and enter needed username (SAMAccountName).

ad account keeps getting locked out

If you run the Microsoft Account Lockout Status utility under a non-privileged user account, check the box “Use Alternate Credentials” and specify account credentials with domain admin privileges. This is necessary to connect to AD domain controllers and select account locking events from the Security log. The LockoutStatus.exe utility does the same thing—it searches for events with the EventID 4740 from the domain controller logs and displays the total data for the events and user account.

Here you can see the current user state on all DCs (Locked), Lockout Time, the value of Bad Password Count on each DC, and the name of the computer from which the lock occurred (Orig Lock).

ad account locking out constantly

You can unlock the user account directly from the tool instead of using the ADUC console. To do this, select a DC, right-click the user and select ‘Unlock Account’. This change will be instantly replicated to all DCs in the domain and the user can log on to the domain computers. You can also change the user password by selecting the ‘Reset User’s Password’ menu item.

user account locked out frequently windows 10

That’s all! Hope this was useful to fix the issues when the AD account keeps locking out!

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

7 comments

  1. So, we know the where the account lockout originated from which was another domain controller. But, we are still having issues and how do we fix it? I rebooted the domain controller also and re-ran the Account Lockout tool and it still shows the same domain controller and account is locked. As, I have been having this account lockout happening for the last 3 days and I am not sure where exactly the issue is and how to fix it?

    1. Did you find a solution for this? I am having the same issue for a particular user and I can’t tell why their account is being locked out.

  2. The registry path is not consistent with the one found in Windows 2012 R2. A good thing could be to mention which OS the instructions is valid for.
    The most similar path I found would be:
    Computer Configuration > Policies > Windows Settings > Security Settings > Local policies > Audit Policy > Audit account management.

    In my case, the perpetrator was MSTSC… sigh… no IP no Computer Name… Could be anyone…

    1. I have exactly the same issue for some users…no credentials saved….no other devices connected..MSTSC in use…

      Thank’s to reopen the topic or publish the solution

      Regards

  3. After looking at the accounts the GPO requires strong password changes every 30 days. When this happens users need to update their cellphones and iPads, etc. If not these devices try logging in with the old password and they get locked out after the device makes 3 attempts (also set by GPO).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.