Have you ever experienced the situation where an Active Directory account is continually locked out? If so then you know how much frustration this can cause. Whether it’s your own account or another user, it must be resolved before you are able to access any network resources. Normally the locked out user is not able to do any work until the issue is resolved. I have run into this a few times and have learned how to resolve the problem pretty quickly. Here are some helpful steps you can follow to diagnose and resolve these Active Directory account lockouts.
How to find the device that caused the lockout
- Install the Microsoft Account Lockout and Management Tools. I have also made the download available here.
- Launch the Lockoutstatus.exe tool.
- From the File menu, click Select Target.
- Enter the username and domain (ie. cramer.com) and click Ok.
- The Lockoutstatus tool will display the account status on each domain controller (DC). It will also indicate what DC recorded the bad password. This is shown in the Bad Pwd Count column.
- Look through the Security log of any DC that recorded a lockout (from previous step). Specifically look for Event ID 4771 for Sever 2008 and Event ID 529 for Server 2003.
Note: I recommend using the EventCombMT utility to search through the Security logs. This utility was installed with the Account Lockout and Management Tools from Step 1. You will thank me for this one!
- When you find the event, look through the event details for Network Information and find the Client Address (registered IP or Mac address). This is the device where the bad password attempt originated.
- If the device is domain joined, you can use ping or nslookup to find the device name. If the lockout occurred on a smart phone you may not easily be able to track down the specific device. However, chances are the lockout occurred on the users smart phone.
How to determine what is causing the lockout
- You should already have the device name from the previous steps. Track down this device by using your inventory records or other means.
- If the device is a smart phone, chances are the user has an old password configured for their corporate email. Update the password and you should be ok.
- If the device is a computer you will need to connect to the computer and identify where the incorrect password is stored. This can sometimes be challenging so here are some common areas to begin your search.
- Persistent drive mappings
- Scheduled tasks
- Windows Credential Manager
Note: I have seen stored credentials become corrupt. You may need to remove the credentials from the vault and recreate.
- Applications with cached credentials
- Outlook or other email client
- After you have identified and corrected the incorrect password you should no longer see the account lockouts.