Howto:Identify the source of Account Lockouts in AD

A common problem in Active Directory is identifying the source of account lockouts. If a password is modified and a user account gets locked, it can be a frustrating process to get the AD account re-enabled.

You can try the following steps to track the locked out accounts and also find the source of AD account lockouts. If you already know the locked out account then you can directly start from step 5 (to track source).

Step 1: Search the domain controller possessing the PDC Emulator Role

Search the domain controller possessing the PDC Emulator Role
Get-AdDomain – This cmdlet searches for the domain controller with the role of a PDC emulator.

Step 2: Search for Event ID 4740

Go to the event log viewer of the DC and in its security logs, search for Event ID 4740

Step 3: Apply appropriate filters

You can apply filters in case you want a more customized report such as looking for lockouts occurring in the last hour, so as to find the recent lockout source of a particular user.

Step 4: Find the locked out user event report from the log
Click find from the actions pane to search for the User whose account is being locked out.

Step 5: Open the event report to track the source of the locked out account

Here you can find the name of the user account and the source of the lockout location as well in the ‘Caller Computer Name’ column.
Finding locked out users may seem difficult at times, especially when you’re doing it for the first time. However, event logs details allows you to keep track of AD accounts that are experiencing difficulty.