Active Directory Lockout Troubleshooter
The AD Lockout Troubleshooter will help you track down the source of account lockouts in Active Directory. The account lockout troubleshooter will display the lockout event ID, logtime, username, source computer or IP, failure code, and the domain controller.Download Free Trial
- Troubleshoot account lockouts
- Find the source computer of repeated lockouts
- Find failed authentication attempts
- Find the source IP address or computer
- You will need permission to read the event logs from all domain controllers
- Audit Log policy needs to be configured. See Audit Log Settings for step-by-step instructions.
How to Use the AD Lockout Troubleshooter Tool
Click on Lockout Troubleshooter from the management tools page.
Select the date range and click run. If you have a lot of users and multiple domain controllers you might want to limit the date range as it can pull in a lot of events.
The tool will collect the events (4771) and (4740) from all your domain controllers and display them in the results column.
For example, I can see Alonso Hall had an account lockout event (4740) and the source computer was PC1.
There will be times when an account is locked out but event 4740 will be blank for the source. This can be for a number of reasons such as the authentication failure coming from a non domain joined computer. When this occurs you can use event 4771 to help troubleshoot the lockout.
In the above screenshot, there are multiple authentication failures coming from IPs 192.168.100.11 and .20 for Alonso Hall’s account.