If you are in IT, you are more than likely aware of issues that can arise from account lockouts, especially on a service account in use by a critical application or infrastructure component.
I will dive into why lockouts occur, share troubleshooting steps, look at helpful tools, and guide you into interpreting logs so that the problem can be resolved as quickly as possible. A lockout can prevent you, an application, or the business from continuing work. So, how do you go about in finding the source of the lockout?
Related: Visualize Account Lockout events with my AD Lockout Splunk Dashboards to graphically identify patterns. For investigating Group-related events, see my Group and Membership Changes post.
The Account Lockout Policy in Active Directory Group Policy sets the number of failed sign-in attempts before a user account is locked out. Once the account is locked out, it cannot be used (even with the correct password) until the account lockout duration has passed; or until an administrator manually unlocks the account. That’s where you come in.
The Account Lockout Policy deters cybercriminals performing brute force attacks against Active Directory accounts, but this feature can cause a huge headache on a sysadmin and the IT team when an impatient end-user is looking for a workaround.
Below is an example of what an end-user sees when they’re in the ALP lockout purgatory.
Check AD account lockout status
How can administrators check to see if an Active Directory account is locked out? In ADUC, navigate to the properties of the user, then the Account tab. You will see the following message if an account is locked out:
- Unlock account. This account is currently locked out on this Active Directory Domain Controller.
Administrators can also use PowerShell to query an Active Directory account, and check its status. You can use the following on a domain controller to check the properties of a user account.
Import-Module ActiveDirectory
get-aduser -identity testuser -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list
Unlocking Active Directory user accounts
The process of unlocking an account is straightforward. By default, there are two ways an account can unlock. This includes either administrator intervention, or waiting for the account lockout duration to expire.
An administrator can unlock the user account by either using the ADUC GUI, or PowerShell. Let’s briefly look at both ways.
Using the ADUC snap-in, an administrator can place a check in the box next to the Unlock account. This account is currently locked out on this Active Directory Domain Controller checkbox.
This is easily accomplished using PowerShell as well. Administrators can use the following PowerShell cmdlet.
Unlock-ADAccount
Self-service account unlocks
With many organizations supporting remote employees, self-service workflows for end-users are hugely beneficial. Self-service solutions save IT time and money by reducing help desk tickets and prompt users to take ownership over their own password security and updates. Remote work as of late can increase the cached credential problem which means more lockouts and more helpdesk calls. Reliable self-service options will reduce this burden on your helpdesk.
Specops uReset is one great self-service option that allows end-users to perform everyday tasks related to password and account management in Active Directory.
Specops uReset is a self-service solution enables users to securely reset their Active Directory passwords. End-users can initiate the password reset process from any browser, their mobile device, or right from the Windows logon screen on their workstations. Specops uReset can notify an end-user when they’re locked out and help unlock the account without a manual admin fix, saving you a ton of time and tickets. With a self-service solution like Specops uReset you don’t have to identify or solve a locked account, the user can do it themselves.
Security features like multi-factor authentication and geo-blocking ensure that Specops uReset password reset solution is consistent with the high level of security you’d expect in your admin systems.
This topic is too old, but I just wanted to share a helpful tool if any one has the same problem reads this thread in future..
Lockout fixer is a free tool which lets you to quickly determine from where the invalid credentials are coming.. You can download lockout fixer
Once you find out the source workstation using the above tool, finding which application is causing the issue should be little easy...
Also, check the services,scheduled tasks,saved network passwords, browser passwords, mapped network drives etc...
What causes an Active Directory account to lockout?
Most AD account lockouts are caused by one of two underlying mechanisms. Either a user forgets their password, or they have updated their credentials on a new device and forgotten to update them on an older device.
What is account lockout in Active Directory?
Active Directory Account Lockout (aka Intruder Detection) is a feature of password security in Windows Server 2000 and later that provides Intruder Detection when a certain number of failed logons occur due to wrong passwords within a certain interval of time.
