So a user comes to you and says their account has locked out, and you kindly unlock their account…… 5 minutes later, they are contacting you again to unlock their account. Despite the standard troubleshooting steps, the account continues to lock out. Now you have the task of finding out the reason for these lockouts. Users locking their accounts is a common problem, but if the reasons are not obvious, then it can take some time to troubleshoot. The user could be logged into multiple devices (phone, computer, application, and so on), and when they change their password, it will cause an ongoing lockout issue. In this article, we will learn how to find out the source of account lockouts in Active Directory.
Why Account Lockouts Happen
Account lockouts typically occur due to repeated failed login attempts. These can be caused by:
- Cached credentials on multiple devices
- Scheduled tasks or services using outdated passwords
- Mapped drives or shared folders
- Mobile devices with old credentials
- Malware or brute-force attacks
Using PowerShell to Find the Source of Account Lockouts
Step 1: Enabling Auditing to find the source of account lockouts
The first step we take is that we need auditing turned in before the domain controllers will log any useful information. Every time a user gets locked out, an event is created on the domain controller. With auditing turned o,n you will be able to capture these logs.
1. Open the Group Policy Management console. This can be from the domain controller or any computer that has the RSAT tools installed.
2. Modify the Default Domain Controllers Policy
Browse to the Default Domain Controllers Policy, right-click, and select edit.
3. Modify the Advanced Audit Policy Configuration
Browse to computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management
Enable success and failure for the “Audit User Account Management” policy.
Auditing is now turned on and event 4740 will be logged in the security events logs when an account is locked out.
Step 2: Find the Domain Controller with the PDC Emulator Role
If you have a single domain controller (shame on you) then you can skip to the next step…hopefully you have at least two DCs.
The DC with the PDC emulator role will record every account lockout with an event ID of 4740.
To find the DC that has the PDCEmulator role, run this PowerShell command
get-addomain | select PDCEmulator
Step 3: Finding event ID 4740 using PowerShell
All of the details you need is in event 4740. Now that you know which DC holds the pdcemulator role you can filter the logs for this event.
On the DC holding the PDCEmulator role open PowerShell and run this command
Get-WinEvent -FilterHashtable @{logname=’security’; id=4740}
or
If you have multiple domain controllers, use PowerShell to identify which DC recorded the lockout:
Get-WinEvent -ComputerName <DC-Name> -FilterHashtable @{
LogName='Security'; ID=4740
} | Where-Object {
$_.Properties[0].Value -eq "LockedUser"
} | Format-List TimeCreated, Message
Replace <DC-Name> with your domain controller name and "LockedUser" with the username in question.
This will search the security event logs for event ID 4740. If you have any account lockouts, you shouldhave a list like below.
To display the details of these events and get the source of the lockout, use this command.
Get-WinEvent -FilterHashtable @{logname=’security’; id=4740} | fl
This will display the caller computer name of the lockout. This is the source of the user account lockout.
You can also open the event log and filter the events for 4740
Preventive Measures
- Encourage users to update stored passwords across all devices
- Use service accounts instead of personal accounts for scheduled tasks
- Implement lockout policies that balance security and usability
- Consider using Azure AD Password Protection for hybrid environments
Final Thoughts
Finding the source of account lockouts in Active Directory requires a mix of event log analysis, tools, and a bit of detective work. By following the steps above, you can identify the culprit and prevent future lockouts, improving both user experience and network security.
