Troubleshoot Active Directory Account Lockouts

George Becker Door Photograph

Account Locked?

A good domain security policy is to expire passwords every 30-180 days. Another good security practice is to lockout an account after 3-5 failed logon attempts. This keeps an attacker from quickly trying to “brute force” a user’s password.

This can also create a scenario where a cached credential causes a user account to be repeatedly locked after a password change. In this article I will explore simple steps to troubleshoot and fix this problem.

To find the cause we first need to find the source of the bad logon attempts. Once we know the source we can look closely at that machine and find the cause of the bad logons.

Finding the Source

The first step is to find the source of the failed login attempts. Lockouts are logged in the Security log on the domain controller with the PDC Emulator FSMO role, because account lockout is processed on this server. If the source is a Windows computer the name of that computer should be in the log message also.

If you don’t know the domain controller that is assigned the PDC role use this NetDom command:

PS C:\Users\larntz> NetDOM /query FSMO
Schema master               DC03.contoso.com
Domain naming master        DC04.contoso.com
PDC                         DC01.contoso.com
RID pool manager            DC01.contoso.com
Infrastructure master       DC02.contoso.com
The command completed successfully.

Now that we know the PDC we need to search the Event Viewer for Event ID 4740. This can be done through the Event Viewer or PowerShell (at the time of this writing PowerShell Core cannot run the Get-EventLog cmdlet).

Luke Arntz Lockout6 Screenshot

The PowerShell command to use is Get-EventLog.

To retrieve all lockout events use this command:

Get-EventLog -LogName Security -InstanceId 4740 | Select TimeGenerated,Message | Format-List

To search for a specific user’s lockout events modify the command to add -Message "*username*" (replace “username” with the actual user’s username e.g., -Message "*kfrog*"):

PS C:\Users\larntz> Get-EventLog -LogName Security -InstanceId 4740 -Message "*kfrog*" | Select TimeGenerated,Message | Format-List

TimeGenerated : 11/27/2018 9:23:22 PM
Message       : A user account was locked out.

                Subject:
                        Security ID:            S-1-x-xx
                        Account Name:           DC01$
                        Account Domain:         HENSON
                        Logon ID:               0x333

                Account That Was Locked Out:
                        Security ID:            S-1-x-xx-xxxxxxxxx-xxxxxxxxx-xxxxxxxxx-xxxxxx
                        Account Name:           KFROG

                Additional Information:
                        Caller Computer Name:   KFROG-SERVER

Before we continue, log into the “Caller Computer Name” computer. In the example above this is KFROG-SERVER.

Finding the Solution

Now we know the source of our failed logons, but why is this machine attempting to login with a bad password?

Things to check:

Hidden SYSTEM Context Credentials

Credentials can be stored under the SYSTEM user context. This means there may be credentials saved on the system that will not show in any normal user’s Credential Manager. To view these credentials we need to open the Credential Manager in the SYSTEM context.

Used these steps to open the Credential Manager as the SYSTEM user:

  1. Download PsTools from Microsoft. Unzip and save the tools to a location on the source computer.
  2. Using psexec.exe open a command prompt (cmd.exe) as the System account.
    • psexec -i -s -d cmd.exe
  3. In the new DOS prompt open the credential manager.
    • rundll32 keymgr.dll,KRShowKeyMgr
  4. Remove or Edit the stored credential.

Luke Arntz Lockout3 Screenshot

Conclusion

The information in this article should be enough to resolve nearly all mystery account lockouts. Please don’t hesitate to send feedback if you feel anything here is incorrect or I missed something!

Thank you for reading!

References

  1. Kriss Milne’s Blog Post
  2. serverfault
  3. PsTools