active directory Account Keeps Locking Out

AD Account Keeps Locking Out

Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the login screen: The referenced account is currently locked out and may not be logged on to. This notification means that the account is automatically temporarily blocked by the Active Directory domain Security Policy.

Active Directory Account Keeps Locking Out

The message about the account lockout looks as shown on the screenshot below:

AD Account Keeps Locking Out

In this case the account was blocked due to several attempts to enter the wrong password. The number of attempts to enter the wrong password is specified in the domain policy Account lockout threshold, which is located in the following GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy.

As a rule, the locking accounts settings in the domain can be configured in the Default Domain Policy.

In addition to the Account lockout threshold policy, another policy in section Account lockout duration might be of interest. This policy determines for what time the account is locked.

In our example, the settings for locking users in the domain are configured as follows:

  • Account lockout threshold – 10 invalid logon attempts;
  • Account lockout duration – 10 minutes;
  • Reset account lockout counter after – 10 minutes.

AD lock Out duration

Thus, if you’ll wait for 10 minutes after the lock, the account will be automatically unlocked.

If you don’t want to wait for automatic unlocking, administrator needs to find the user account in the Active Directory Users and Computers console. In the Account tab check the box Unlock account tab. This account is currently locked out on this Active Directory Domain Controller and press Ok.

AD unlock account

But in some cases, the locking of the accounts takes place without any apparent reason. In such situation user reports that did nothing and was never entering the wrong password, but his account for some reason is blocked. The administrator can manually release the lock at the request of the user, but after a while the situation repeats again.

In this case you must first determine the name or IP address of the computer from which the lock occurs. To do this check if the Audit User Account Management policy enabled on the domain controllers in the Default Domain Controllers Policy (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy section).

AD Account log on

The event of locking a domain account can be found in the Security log (Event Viewer -> Windows Logs) on the domain controller. Right click Security item and select Filter Current Log.

AD Account log on filter

Filter the security log by event with Event ID 4740.

AD Account filter current log

You will see a list of events of locking domain user accounts on this DC (with message A user account was locked out). Find the last entry in the log that contains the name of the desired user in the Account Name value. In the Caller Computer Name, the name of the computer from which the lock was made is shown. In this case, the computer name is LON-DC01.

AD Account was lock out

Most often, the account lock begins after the user has changed the domain password. In this case, a periodic account lockout can be caused by unclosed terminal session, saved password in Credential Manager, scheduler job or Windows service.

Using Lockout Tool

To find the lock source on all domain controllers, you can use the convenient lockout tool utility LockoutStatus.exe (Account Lockout and Management Tools).

Download, extract and run the utility. Select menu File -> Select Target and enter needed username.

AD unlock account credentials

Here you can see the current user state on DCs (Locked), Lockout Time, value of Bad Password Count on each DC and the name of the computer from which the lock occurred (Orig Lock).

AD dc account

That’s all! Hope this was useful to fix the issues when AD account keeps locking out!

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Fix: Active Directory Domain Controller Could Not ... In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domai...
FSMO Role: Infrastructure Master We continue the series of articles about FSMO roles in the Active Directory domain. This time, we will take a closer look at the FSMO role — Infrastru...
  1. Posted by Tom
  2. Posted by Dr.Mabuse
    • Posted by Robin
  3. Posted by Doreen

Add Your Comment