active directory Account Keeps Locking Out

AD Account Keeps Locking Out


Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the login screen: The referenced account is currently locked out and may not be logged on to. This notification means that the account is automatically temporarily blocked by the Active Directory domain Security Policy.

Active Directory Account Keeps Locking Out

The message about the account lockout looks as shown on the screenshot below:

AD Account Keeps Locking Out

In this case the account was blocked due to several attempts to enter the wrong password. The number of attempts to enter the wrong password is specified in the domain policy Account lockout threshold, which is located in the following GPO section Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy.

As a rule, the locking accounts settings in the domain can be configured in the Default Domain Policy.

In addition to the Account lockout threshold policy, another policy in section Account lockout duration might be of interest. This policy determines for what time the account is locked.

In our example, the settings for locking users in the domain are configured as follows:

  • Account lockout threshold – 10 invalid logon attempts;
  • Account lockout duration – 10 minutes;
  • Reset account lockout counter after – 10 minutes.
READ ALSO  Store BitLocker Recovery Keys using Active Directory

AD lock Out duration

Thus, if you’ll wait for 10 minutes after the lock, the account will be automatically unlocked.

If you don’t want to wait for automatic unlocking, administrator needs to find the user account in the Active Directory Users and Computers console. In the Account tab check the box Unlock account tab. This account is currently locked out on this Active Directory Domain Controller and press Ok.

AD unlock account

But in some cases, the locking of the accounts takes place without any apparent reason. In such situation user reports that did nothing and was never entering the wrong password, but his account for some reason is blocked. The administrator can manually release the lock at the request of the user, but after a while the situation repeats again.

In this case you must first determine the name or IP address of the computer from which the lock occurs. To do this check if the Audit User Account Management policy enabled on the domain controllers in the Default Domain Controllers Policy (Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy section).

AD Account log on

The event of locking a domain account can be found in the Security log (Event Viewer -> Windows Logs) on the domain controller. Right click Security item and select Filter Current Log.

READ ALSO  Active Directory Database File Compaction and Defragmentation

AD Account log on filter

Filter the security log by event with Event ID 4740.

AD Account filter current log

You will see a list of events of locking domain user accounts on this DC (with message A user account was locked out). Find the last entry in the log that contains the name of the desired user in the Account Name value. In the Caller Computer Name, the name of the computer from which the lock was made is shown. In this case, the computer name is LON-DC01.

AD Account was lock out

Most often, the account lock begins after the user has changed the domain password. In this case, a periodic account lockout can be caused by unclosed terminal session, saved password in Credential Manager, scheduler job or Windows service.

Using Lockout Tool

To find the lock source on all domain controllers, you can use the convenient lockout tool utility LockoutStatus.exe (Account Lockout and Management Tools).

Download, extract and run the utility. Select menu File -> Select Target and enter needed username.

AD unlock account credentials

Here you can see the current user state on DCs (Locked), Lockout Time, value of Bad Password Count on each DC and the name of the computer from which the lock occurred (Orig Lock).

AD dc account

That’s all! Hope this was useful to fix the issues when AD account keeps locking out!

READ ALSO  How to Fix Exchange Server Error 00002098

You may also like:

Installing Active Directory Snap-in on Windows 10 One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). To work with ADUC snap-in in ...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Change Default OU permissions in Active Directory By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group)...
Accessing Domain Controller from Local DSRM Accoun... Login with a local account on the domain controller is basically impossible, since then you are promoting member server to the domain controller (DC),...