Troubleshooting Account Locked Out; EventID 4740,4625,4771

I am able to find Audit Failure events (ID 4771) for incorrect username/password, but not when the account is locked out after too many incorrect attempts. So far I've discovered from reading online that the "Audit Account Lockout" group policy (Found at Computer Config > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Logon/Logoff) must be set to Failure so that it logs the failures, but it still isn't being logged.

When an Active Directory user account is locked, an account lockout event ID is added to the Windows event logs. Event ID 4740 is added on domain controllers and the event 4625 is added to client computers.

Troubleshooting Account Locked Out; EventID4740,4625,4771

Download File 🔥 https://urllio.com/2y1F4B 🔥

The lockout event ID provides important details about the lockout, such as the account name, time of the event, and the source computer (caller computer name). These events are helpful for troubleshooting and auditing lockout events.

Auditing is now turned on and event 4740 will be logged in the security events logs when an account is locked out. In addition, the Kerberos logs are enabled which will log authentication failures with the lockout. Sometimes event 4740 does not log the source computer and the Kerberos logs provide additional details.

A domain controller will log event 4740 when an AD account is locked out. This event is not replicated so you either need to search all domain controllers or find the DC that holds the PDC emulator FSMO role.

In the above screenshot, you can see the tool found two locked user accounts, it also displays the lockout time and password last set date. This tool makes it super easy for helpdesk staff to check for locked user accounts, unlock and reset passwords.

Event ID 4625 is logged on the client computer when an account fails to logon or is locked out. This event will be logged for local and domain user accounts. The event is useful for troubleshooting repeat lockouts as it provides more details than the 4740 event. Event ID 4625 is only logged on the computer where the logon attempt was made from.

Knowing how to audit Active Directory lockout events is critical for troubleshooting repeat lockouts. It is also a security best practice to review and monitor failed logon attempts for malicious activity on your network. In this guide, I showed you the lockout event IDs for domain and local user accounts. In addition, I showed you how to filter the logs with PowerShell and by using the AD Pro Toolkit GUI tool.

Hi,

Since the event log showed that the DC4 is the source DC, i would suggest you enable the following audit policy to get more details :

Then, find the 4625 event on the client computer source and check the process of the locked account.

Also , would you please what's the ip address displayed in the event 4771:

I have spent approximately 6 hours in the last week trying to figure out this account lockout issue. A colleague of mine has a Domain Admin (ADM) account that locks out every hour at the exact same time (every hour at 30 minutes and 42-46 seconds). The only security events logging his username are 4771, followed by 4740 to say the account is locked out:

Under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\EventCollector\Subscriptions, we had an Event Viewer Subscription called "User Account Creation". This Subscription was configured with the user's ADM credentials! So, I backed up the registry path, then deleted the registry entry. Unfortunately, the account still locked.

Contents:The referenced account is currently locked out and may not be logged on toHow to Check if an AD User Account is Locked Out?Account Lockout Policies in Active Directory DomainAccount Lockout Event IDs 4740 and 4625Get the Source (Computer) of Account Lockouts with PowerShellTrack AD Lockout Events with the Account Lockout and Management ToolsHow to Find a Program Which Locks User Domain Account?

You can manually unlock an account using the ADUC console without waiting till it is unlocked automatically. Find the user account in AD (use the search option in AD snap-in), right-click, and select Properties. Go to the Account tab and check the box Unlock account. This account is currently locked out on this Active Directory Domain Controller. Click OK.

If the user enters an incorrect password, then the domain controller closest to the user (LogonServer) redirects the authentication request to the DC with the PDC emulator FSMO role (this particular DC is responsible for processing account locks). If authentication fails on the PDC as well, it responds to the first DC that authentication failed. If the number of failed authentication attempts exceeds the value set for the domain in the Account lockout threshold policy, the user account is temporarily locked.

Open the last event with EventID 4625 for your user (Account name). Here you can see that when trying to perform NTLM authentication (Authentication Package: NTLM, Logon Process: NtLmSsp), the account was locked out (Failure Reason: Account locked out, Status: 0xC0000234). The event description contains both the computer name (Workstation Name) and its IP address (Source Network Address).

The list that appears will contain the list of DCs and account status (Locked or Non Locked). Additionally, the lock time and the computer from which this account is locked out are displayed (Orig Lock).

So, we have found from which computer or device the account was locked out. Now it would be great to know what exactly program or process is making failed login attempts and is the source of the account lockout events.

I can confirm that not only eventid 4625 can indicate a failed login but 4673 for example.

I searched for the locked-out loginname instead in event viewer, this is how I found the app to blame (it was Fiddler).

Anyway, the article set me to the right direction, so thanks!

When incorrect password attempts exceed the account lockout threshold configured in your domain, the user account is locked out and an event ID 4740 is recorded in the Security log of the domain controllers. If audit logging is also enabled on client computers, event ID 4625 is recorded on the client computer as well. As you might already know, the event log contains a lot of useful information, such as the name of the user account, the name of the domain controller, the name of the source computer, the timestamp, etc. If you have hundreds or thousands of computers in your AD environment, it isn't feasible to query all client computers. You can first query the domain controllers to find the computer name or IP address of the source computer on which the account lockout occurred. This is what we are going to do in this post.

Multiple user accounts are getting locked out multiple times in a day.

When I checked the event IDs on PDC 4740/4625 it showed the caller computer as another DC, and when I checked the event ID 4771 on the DC which was showing as a caller computer, I found the following details in the event logs.

we currently have the problem that certain user accounts are regularly locked, sometimes every minute. Using the event IDs 4740 ('user account was locked out') and 4771 ('kerberos pre-auth failed') on the domain controllers, we can only narrow down the source to the Exchange servers. From there on any trace is lost. The Exchange servers have already been checked, also all hardware used by the user (laptop, smartphone) has been checked several times, no old account or credentials could be detected on any device.

To secure the company network, Active Directory uses Group Policy Objects (GPOs) to define various user- and computer-related settings, including password policies and the Account Lockout Threshold. The latter controls when an account is locked after a set number of failed login attempts. If you mistype your password three times, for example, it would be locked for a specified time or until an administrator unlocks. This is an important security step to frustrate an unauthorized person from gaining access.

True story: A penetration test happened at one of my employers during the middle of the day that inadvertently locked out multiple accounts, prompting our team to hunt down a possible hack attempt. This brought to our attention that this type of Denial of Service attack could easily disrupt a business if someone got a hold of the account names or login format

True story: Recently, a service account used for backing up virtual machines, files, and more kept locking. I received an urgent Sunday evening conference call at 7:30pm for help as backups were failing. After 4.5 hours of troubleshooting, checking Splunk logs, and using other methods, we were unable to find the lockout source. It was now midnight and some were tired.

The Splunk queries provided here currently include events where the queried user is the one who performed an unlock operation. I have not yet added logic to exclude them. This can skew results when looking for events where the queried user itself was unlocked by someone else. In other words, the queries currently include events where either the user was unlocked or the user performed the unlock on another account.

This query will help figure out where the account may have been used successfully within the last 14 days, including logons, logoffs, and which machines, IP addresses, and/or processes contributed to the event. Optionally, it will also show who unlocked the account.

When I troubleshoot an account, I look for a group of 4625 events that may have led to the 4740 lock event. The message within 4740 would tell you what ultimately caused the lock. Keep in mind that although 4625 reports a failed logon, it may not necessarily have been the culprit. It may have simply failed because the account was ALREADY locked as illustrated in the below 4625 sample. be457b7860