Skip to content

How to Track Source of Account Lockouts in Active Directory?

To track the source of account lockouts in Active Directory, you can use the following steps:

  1. Enable Account Lockout Policy: First, you need to ensure that the account lockout policy is enabled in Active Directory. This policy specifies the number of failed logon attempts that will trigger an account lockout.
  2. Enable Audit Policy Settings: Next, you need to enable the appropriate audit policy settings on your domain controllers to record account lockout events. Specifically, you need to enable the “Audit Account Lockout” policy setting. This policy setting can be modified using Group Policy Objects (GPOs) on your domain controllers.
  3. Collect Security Event Logs: After enabling the “Audit Account Lockout” policy setting, you need to collect the relevant security event logs from your domain controllers. These logs contain information about all account lockout events that occur on the domain controllers.
  4. Use LockoutStatus Tool: Microsoft provides a tool called LockoutStatus, which can be used to determine the source of account lockouts in Active Directory. This tool can be run on a domain controller or a workstation and will show you the domain controller where the account was locked out, as well as the process or service that triggered the lockout.
  5. Analyze Logs: You can also analyze the security event logs collected in step 3 to identify the source of account lockouts. Specifically, you should look for events that indicate a failed logon attempt or an account lockout, as well as the source IP address or computer name associated with the event.
  6. Take Action: Once you have identified the source of the account lockouts, you can take appropriate action to resolve the issue. This might involve resetting a user’s password, disabling a service or process that is causing the lockouts, or addressing a security issue on a particular workstation or server.

Overall, tracking the source of account lockouts in Active Directory involves enabling the appropriate audit policy settings, collecting security event logs, using the LockoutStatus tool, analyzing logs, and taking appropriate action to resolve the issue. By following these steps, you can quickly identify and address sources of account lockouts in your Active Directory environment.