• Skip to main content
  • Skip to primary sidebar

Technipages

Tutorials and fixes for smartphone, gadget, and computer problems

  • Topics
    • Android
    • Browsers
    • Gaming
    • Hardware
    • Internet
    • iPhone
    • Linux
    • macOS
    • Office
    • Reviews
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About

How to Find Computer Locking Active Directory Account

June 26, 2018 by Mitch Bartlett 6 Comments

If you work IT in a Microsoft Active Directory environment, you may have experienced problems where a user’s account keeps getting locked out. Here’s a tutorial showing everything you need to know about how to track the computer that is locking any AD account.

Find Domain Controller Where Lockout Occurred

  1. Download Account Lockout and Management Tools from Microsoft on any domain computer where you have administrator rights.
  2. Create a folder named “ALTools” on your Desktop, then run “ALTools.exe” to extract the files to that folder.
  3. From the “ALTools” folder, open “LockoutStatus.exe“.
  4. Select “File” > “Select target“.
  5. Specify the “Target User Name” that keeps getting locked out and the “Target Domain Name“. If you’re not logged in as a domain administrator and would like to use alternate credentials, check the “Use Alternate Credentials” box, then type a domain account “User Name“, “Password“, and “Domain Name“.
  6. Select “OK“, and the user will be listed, along with the domain controller name where the account is getting locked.

Find Locking Computer Using Event Logs

  1. Login to the Domain Controller where authentication took place.
  2. Open “Event Viewer“.
  3. Expand “Windows Logs” then choose “Security“.
  4. Select “Filter Current Log…” on the right pane.
  5. Replace the field that says “<All Event IDs>” with “4740“, then select “OK“.
  6. Select “Find” on the right pane, type the username of the locked account, then select “OK“.
  7. The Event Viewer should now only display events where the user failed to login and locked the account. You can double-click the event to see details, including the “Caller Computer Name“, which is where the lockout is coming from.

Finding what Specifically is Locking Account on Computer

If the computer has been logged in since before the password for the account was changed or locked, a simple reboot may do the trick. Otherwise, follow these steps to check for stored credentials that might tied to a running a task and locking the account.

  1. Logon to the computer where the lockouts are occurring from.
  2. Download PsTools from Microsoft.
  3. Extract the single PsExec.exe file to “C:\Windows\System32“.
  4. Select “Start“, then type “CMD“.
  5. Right-click “Command Prompt“, then choose “Run as administrator“.
  6. Type the following, then press “Enter“:
    psexec -i -s -d cmd.exe
  7. Another command window will open up. Type the following in that window, then press “Enter“:
    rundll32 keymgr.dll,KRShowKeyMgr
  8. A window showing a list of stored usernames and passwords will appear. You can choose to “Remove” items from this list that may be locking accounts, or select “Edit…” to update the password.

 


FAQ

The Event Log tells me a computer name that doesn’t exist in our AD environment is locking the account. How do I track it down and stop it?

Most likely, somebody installed the Outlook app on a personal phone or tablet. The device is attempting to authenticate via a different device such as a Microsoft Exchange server. You can verify this with the following steps:

  1. Perform steps 1-6 as outlined above in the “Find Domain Controller Where Lockout Occurred” section.
  2. Login to the domain controller and enable debug logging for the Netlogon service.
  3. Wait for the lockout to occur again. Once it has, go back to the Lockout Status tool, right click the DC, then choose “Open Netlogon Log“.
  4. Select “Edit” > “Find” and search for the locked username of the account. It should display the caller computer name followed by another computer name in braces where the requests are coming from.

You Might Also Like

  • How to Add or Delete Printers in Active Directory
    How to Add or Delete Printers in Active Directory
  • What to Do If Your Computer Keeps Locking Itself
    What to Do If Your Computer Keeps Locking Itself
  • How to Make Active Directory Replicate Instantly
    How to Make Active Directory Replicate Instantly
  • Active Directory: Fix Replication Error 8203
    Active Directory: Fix Replication Error 8203
  • Windows 10 & 11: Install Active Directory Users and Computers
    Windows 10 & 11: Install Active Directory Users and…
  • Use Active Directory Domain Services to Block Website
    Use Active Directory Domain Services to Block Website

Filed Under: Windows Tagged With: Active Directory

Reader Interactions

Comments

  1. Craig M says

    January 7, 2021 at 8:38 am

    Thank you! My client changed his password and didn’t realize that he was still logged into another computer.

  2. anonymous says

    January 15, 2020 at 3:37 pm

    You didn’t list one other place that can cause lockouts. Open local services, and sort by the “Log On As” column. Scroll through the list looking for the locked account. If a service is trying to use an old password, that’s guaranteed to lock an account.

  3. ORYXWAY says

    January 10, 2020 at 11:20 am

    Hi

    I have been having problems for a very long time and I am trying to find out where the account lockout is originating from and I am unable to find out. So, I enabled netlogon on my domain controllers and I captured the first account lockout. This is what it shows, unfortunately there is no parenthesis and the source where it originated from. It says from DOMAINcontroller name Entered. So, could this domain controller itself be creating these account lockouts? If,, so how to fix it?

    01/10 10:02:57 [LOGON] [9076] BCC: SamLogon: Network logon of domainname\adminaccount from Domain Controller Entered

  4. Alan says

    October 29, 2019 at 6:52 am

    Thank you. This is very helpful. I’m accessing the affected computer via PSexec as it’s offsite. Is there another way to look at the “stored username and password” that doesn’t require the window to be opened? Basically using CMD to do everything?

  5. Mitja Kornuta says

    October 23, 2019 at 4:10 am

    gerat article

  6. Mike Tao says

    September 23, 2019 at 7:26 am

    Very useful article.

Did this help? Let us know!

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Print Labels from Excel Using MS Word Mail Merge
  • What Is NVMe Over TCP (NVMe/TCP)
  • Android Mobile Hotspot: How to Change the Password and Name
  • Windows 10: How to Force Quit and App
  • What is Dumpster Diving?
  • How to Download iOS 16 Beta 3 on iPhone or iPad
  • What is a Security Compromise?
  • Mastodon: How to DM Someone

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

You May Also Like

  • DVD Region-Locking
  • Best Wired Computer Speakers 2022

© Copyright 2023 Guiding Tech Media · All Rights Reserved · Privacy