• Skip to main content
  • Skip to primary sidebar

Technipages

Tutorials and fixes for smartphone, gadget, and computer problems

  • Topics
    • Android
    • Gaming
    • Hardware
    • Internet
    • iOS
    • MacOS
    • Office
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About Technipages

How to Find Computer Locking Active Directory Account

By Mitch Bartlett 6 Comments

If you work IT in a Microsoft Active Directory environment, you may have experienced problems where a user’s account keeps getting locked out. Here’s a tutorial showing everything you need to know about how to track the computer that is locking any AD account.

Find Domain Controller Where Lockout Occurred

  1. Download Account Lockout and Management Tools from Microsoft on any domain computer where you have administrator rights.
  2. Create a folder named “ALTools” on your Desktop, then run “ALTools.exe” to extract the files to that folder.
  3. From the “ALTools” folder, open “LockoutStatus.exe“.
  4. Select “File” > “Select target“.
  5. Specify the “Target User Name” that keeps getting locked out and the “Target Domain Name“. If you’re not logged in as a domain administrator and would like to use alternate credentials, check the “Use Alternate Credentials” box, then type a domain account “User Name“, “Password“, and “Domain Name“.
  6. Select “OK“, and the user will be listed, along with the domain controller name where the account is getting locked.

Find Locking Computer Using Event Logs

  1. Login to the Domain Controller where authentication took place.
  2. Open “Event Viewer“.
  3. Expand “Windows Logs” then choose “Security“.
  4. Select “Filter Current Log…” on the right pane.
  5. Replace the field that says “<All Event IDs>” with “4740“, then select “OK“.
  6. Select “Find” on the right pane, type the username of the locked account, then select “OK“.
  7. The Event Viewer should now only display events where the user failed to login and locked the account. You can double-click the event to see details, including the “Caller Computer Name“, which is where the lockout is coming from.

Finding what Specifically is Locking Account on Computer

If the computer has been logged in since before the password for the account was changed or locked, a simple reboot may do the trick. Otherwise, follow these steps to check for stored credentials that might tied to a running a task and locking the account.

  1. Logon to the computer where the lockouts are occurring from.
  2. Download PsTools from Microsoft.
  3. Extract the single PsExec.exe file to “C:\Windows\System32“.
  4. Select “Start“, then type “CMD“.
  5. Right-click “Command Prompt“, then choose “Run as administrator“.
  6. Type the following, then press “Enter“:
    psexec -i -s -d cmd.exe
  7. Another command window will open up. Type the following in that window, then press “Enter“:
    rundll32 keymgr.dll,KRShowKeyMgr
  8. A window showing a list of stored usernames and passwords will appear. You can choose to “Remove” items from this list that may be locking accounts, or select “Edit…” to update the password.

 


FAQ

The Event Log tells me a computer name that doesn’t exist in our AD environment is locking the account. How do I track it down and stop it?

Most likely, somebody installed the Outlook app on a personal phone or tablet. The device is attempting to authenticate via a different device such as a Microsoft Exchange server. You can verify this with the following steps:

  1. Perform steps 1-6 as outlined above in the “Find Domain Controller Where Lockout Occurred” section.
  2. Login to the domain controller and enable debug logging for the Netlogon service.
  3. Wait for the lockout to occur again. Once it has, go back to the Lockout Status tool, right click the DC, then choose “Open Netlogon Log“.
  4. Select “Edit” > “Find” and search for the locked username of the account. It should display the caller computer name followed by another computer name in braces where the requests are coming from.

You Might Also Like

  • How to Add or Delete Printers in Active Directory
    How to Add or Delete Printers in Active Directory
  • How to Add Active Directory Schema Snap-In
    How to Add Active Directory Schema Snap-In
  • How to Make Active Directory Replicate Instantly
    How to Make Active Directory Replicate Instantly
  • Active Directory: Fix Replication Error 8203
    Active Directory: Fix Replication Error 8203
  • What to Do If Your Computer Keeps Locking Itself
    What to Do If Your Computer Keeps Locking Itself
  • Windows 10 & 8: Install Active Directory Users and Computers
    Windows 10 & 8: Install Active Directory Users and Computers
  • Use Active Directory Domain Services to Block Website
    Use Active Directory Domain Services to Block Website
  • PowerShell: Check When User Last Set Active Directory Password
    PowerShell: Check When User Last Set Active Directory…
  • Active Directory: How to Check Domain and Forest Functional Level
    Active Directory: How to Check Domain and Forest Functional…

Filed Under: Windows Tagged With: Active Directory

Reader Interactions

Comments

  1. Craig M says

    January 7, 2021 at 8:38 am

    Thank you! My client changed his password and didn’t realize that he was still logged into another computer.

  2. anonymous says

    January 15, 2020 at 3:37 pm

    You didn’t list one other place that can cause lockouts. Open local services, and sort by the “Log On As” column. Scroll through the list looking for the locked account. If a service is trying to use an old password, that’s guaranteed to lock an account.

  3. ORYXWAY says

    January 10, 2020 at 11:20 am

    Hi

    I have been having problems for a very long time and I am trying to find out where the account lockout is originating from and I am unable to find out. So, I enabled netlogon on my domain controllers and I captured the first account lockout. This is what it shows, unfortunately there is no parenthesis and the source where it originated from. It says from DOMAINcontroller name Entered. So, could this domain controller itself be creating these account lockouts? If,, so how to fix it?

    01/10 10:02:57 [LOGON] [9076] BCC: SamLogon: Network logon of domainname\adminaccount from Domain Controller Entered

  4. Alan says

    October 29, 2019 at 6:52 am

    Thank you. This is very helpful. I’m accessing the affected computer via PSexec as it’s offsite. Is there another way to look at the “stored username and password” that doesn’t require the window to be opened? Basically using CMD to do everything?

  5. Mitja Kornuta says

    October 23, 2019 at 4:10 am

    gerat article

  6. Mike Tao says

    September 23, 2019 at 7:26 am

    Very useful article.

Did this help? Let us know!

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • Windows 11: How to Add Clocks with Different Time Zones
  • Google Assistant: How to Never Miss a Birthday
  • Windows 11: How to Disable Notifications and Ads
  • How to Use Oculus Quest 2 Air Link
  • How to Create an Avatar in the Oculus Quest 2
  • 5 Free and Fun Math Apps for Kids
  • Windows 11: How to Discover What Graphics Card You’re Using
  • How to Change Display Resolution on Windows 10 and 11

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

You May Also Like

  • DVD Region-Locking
  • Best Mid-Market Computer Speakers 2021
  • Best Budget Computer Speakers 2022
  • Best High-End Computer Speakers 2022
  • Best Wireless Computer Speakers 2022
  • Best Wired Computer Speakers 2022

© Copyright 2022 Technipages · All Rights Reserved · Privacy