AD Pro Toolkit User Guide
- Getting Started
- User Management
- Group Management
- Security Tools
- AD Reports
- Other Tools
- Troubleshooting
- Firewall Settings
- Audit Log Settings
AD Lockout Troubleshooter
This is the administrator guide for the AD Lockout Troubleshooter
Requirements:
- You will need permission to read the event logs from all domain controllers
- Audit Log policy needs to be configured. See Audit Log Settings for step-by-step instructions.
- The tool will query the event logs using RPC and the dynamic port range. Port range TCP 49152-65535. This only needs to be opened from the computer running the tool to the DCs.
Steps
- Click on Lockout Troubleshooter from the management tools page.
- Select the date range and click run. If you have a lot of users and multiple domain controllers you might want to limit the date range as it can pull in a lot of events.
The tool will collect the events (4771 and 4740) from all your domain controllers and display them in the results column.
For example, I can see Alonso Hall had an account lockout event (4740) and the source computer was PC1.
There will be times when an account is locked out but event 4740 will be blank for the source. This can be for a number of reasons such as the authentication failure coming from a non domain joined computer. When this occurs you can use event 4771 to help troubleshoot the lockout.
In the above screenshot, there are multiple authentication failures coming from IPs 192.168.100.11 and .20 for Alonso Hall’s account.