AD Pro Toolkit User Guide
- Getting Started
- User Management
- Group Management
- Security Tools
- AD Reports
- Other Tools
- Troubleshooting
- Firewall Settings
- Audit Log Settings
AD Lockout Troubleshooter
This is the administrator guide for the AD Lockout Troubleshooter
Requirements:
- You will need permission to read the event logs from all domain controllers
- Audit Log policy needs to be configured. See Audit Log Settings for step-by-step instructions.
- The tool will query the event logs using RPC and the dynamic port range. Port range TCP 49152-65535. This only needs to be opened from the computer running the tool to the DCs.
Steps
- Click on Lockout Troubleshooter from the management tools page.
- Select the date range and click run. If you have a lot of users and multiple domain controllers you might want to limit the date range as it can pull in a lot of events.
The tool will collect the events (4771 and 4740) from all your domain controllers and display them in the results column.
![](https://activedirectorypro.com/wp-content/uploads/2023/10/10-lockout-troubleshooter-1.webp)
For example, I can see Alonso Hall had an account lockout event (4740) and the source computer was PC1.
![](https://activedirectorypro.com/wp-content/uploads/2023/10/10-lockout-troubleshooter-2.webp)
There will be times when an account is locked out but event 4740 will be blank for the source. This can be for a number of reasons such as the authentication failure coming from a non domain joined computer. When this occurs you can use event 4771 to help troubleshoot the lockout.
![](https://activedirectorypro.com/wp-content/uploads/2023/10/10-lockout-troubleshooter-3.webp)
In the above screenshot, there are multiple authentication failures coming from IPs 192.168.100.11 and .20 for Alonso Hall’s account.