Viewing 4 reply threads
  • Author
    • #13772
      Jim Jones
      Member Points: 15
      Rank: 1

      Hello all, I’ve done this the hard way quite a bit but I was wondering if anybody has a great way to track down a user repeated lockout issue with AD. I just got done fixing one user (user’s password had changed and iPhone hadn’t been updated to access the wireless via NPS) but it was literally an all day process to track down where the user was having issues. Is there a product or script that can automate this process? Syslog maybe?

    • #13773
      Sitaram Pamarthi
      Member Points: 13
      Rank: 1

      I haven’t done this in recent past but ~5 years back I used to do it frequent enough. So, here is the procedure I used to follow. Check out if that helps.

      1) Find the DC where account is locked first: I used LockoutStatus.exe(download from get this information.
      2) Look at the netlogon logs(enable debug logging if you want) to determine the IP address/computername that is sending wrong credentials.

      This way we are closer to the problem. We know the computer that is sending wrong credentials but we still need to determine where are these wrong credentials stored. We can check services, scheduled tasks, or any other third party software running on this computer to find out the place where old credentials are saved.

    • #13774
      Joseph Moody
      Member Points: 1,918
      Rank: 3

      I actually like using PowerShell to find that information now. I keep these scripts loaded into my ADUC for easy reach.

    • #13775
      Michael Pietroforte
      Member Points: 32,769
      Author of the year 2018
      Rank: 4

      First thing I check in case of account lockouts is the event log. On the PDC you should see the event ID 4740, the account name and the computer name. I don’t know how an iPhone would appear there, but I guess it should be possible to identify it. It is always a good idea to monitor failed logons with an event log management tool that allows you to centrally collect crucial event log messages. The best free event log tool I know is EventSentry Light. That way you never have to search for event log messages in your domain because you have it all in a central database.

    • #13777
      Jim Jones
      Member Points: 15
      Rank: 1

      Great ideas guys, I’ll give these a shot the next time the issue arises.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.
© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account