Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the login screen: The referenced account is currently locked out and may not be logged on to. This notification means that the account is automatically temporarily blocked by the Active Directory domain Security Policy.
Active Directory Account Keeps Locking Out
The message about the account lockout looks as shown on the screenshot below:
In this case the account was blocked due to several attempts to enter the wrong password. The number of attempts to enter the wrong password is specified in the domain policy Account lockout threshold, which is located in the following GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy.
As a rule, the locking accounts settings in the domain can be configured in the Default Domain Policy.
In addition to the Account lockout threshold policy, another policy in section Account lockout duration might be of interest. This policy determines for what time the account is locked.
In our example, the settings for locking users in the domain are configured as follows:
- Account lockout threshold – 10 invalid logon attempts;
- Account lockout duration – 10 minutes;
- Reset account lockout counter after – 10 minutes.
Thus, if you’ll wait for 10 minutes after the lock, the account will be automatically unlocked.
If you don’t want to wait for automatic unlocking, administrator needs to find the user account in the Active Directory Users and Computers console. In the Account tab check the box Unlock account tab. This account is currently locked out on this Active Directory Domain Controller and press Ok.
But in some cases, the locking of the accounts takes place without any apparent reason. In such situation user reports that did nothing and was never entering the wrong password, but his account for some reason is blocked. The administrator can manually release the lock at the request of the user, but after a while the situation repeats again.
In this case you must first determine the name or IP address of the computer from which the lock occurs. To do this check if the Audit User Account Management policy enabled on the domain controllers in the Default Domain Controllers Policy (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy section).
The event of locking a domain account can be found in the Security log (Event Viewer -> Windows Logs) on the domain controller. Right click Security item and select Filter Current Log.
Filter the security log by event with Event ID 4740.
You will see a list of events of locking domain user accounts on this DC (with message A user account was locked out). Find the last entry in the log that contains the name of the desired user in the Account Name value. In the Caller Computer Name, the name of the computer from which the lock was made is shown. In this case, the computer name is LON-DC01.
Most often, the account lock begins after the user has changed the domain password. In this case, a periodic account lockout can be caused by unclosed terminal session, saved password in Credential Manager, scheduler job or Windows service.
Using Lockout Tool
To find the lock source on all domain controllers, you can use the convenient lockout tool — utility LockoutStatus.exe (Account Lockout and Management Tools).
Download, extract and run the utility. Select menu File -> Select Target and enter needed username.
Here you can see the current user state on DCs (Locked), Lockout Time, value of Bad Password Count on each DC and the name of the computer from which the lock occurred (Orig Lock).
That’s all! Hope this was useful to fix the issues when AD account keeps locking out!