In this post we will look into troubleshooting Account Lockouts in Active Directory. From my experience identifying the source of an Account Lockout can often be easy, or extremely difficult.
When an authentication attempt hits a domain controller that is incorrect, a second authentication attempt will always hit the Primary Domain Controller (PDC). This is due to Active Directory replication intervals, if you reset a users password, it may take a few hours for the password change to propagate across the network based on how you have configured your Inter-Site Transport links in AD Sites and Services. The Primary Domain Controller (PDC) always has the latest list of passwords (one of the many things the PDC emulator role performs).
The easiest way to troubleshoot Account Lockouts is simply login to the Primary Domain Controller and review the security log, as this will have a list of all account lockouts that have occured across all domain controllers. The EventID that represents an account lockout is EventID 4740.
The screenshot below shows a typical Account Lockout event on the PDC. It will display the account name that was locked out, and the computer in which the account was locked out on.
However this is where it can get more complicated. If the lockout came from a system not in Active Directory, the "Caller Computer Name" value will always be blank. This can include numerous scenarios such as:
- Mobile Devices (Android / IOS) that are authenticating against an Exchange Server through Active Sync.
- Proxy Servers
- Java Applications
- UNIX/Linux Systems
- Other non-domain joined computer objects.
The EventID Security logs you want to filter are as follows:
- Event ID 4625 - An account failed to log on
- Event ID 4776 - The computer attempted to validate the credentials for an account.
- Event ID 4771 - Kerberos pre-authentication failed
For many companies still running on-premises Exchange, Mobile Devices on Active Sync are a common cause for account lockouts. If you have confirmed using the EventID's above that the account lockout is coming from your Exchange Server, you can utilise the IIS Logs to identify the device and external IP address that caused the lockout. You need to check the IIS Logs on the Exchange Server for a HTTP 401 "Unauthorized" error for the user in question. IIS Logs can easily be imported into Excel for easy formatting/review. Also check out the following blog post that has a Logparser.exe query that lets you quickly search IIS Logs for the account lockout.
In addition to the HTTP 401 "Unauthorized" error, the Exchange IIS Logs also can provide additional information in the Sc-Win32-status code:
- 1326 - The user name or password is incorrect.
- 1330 - The password for this account has expired.
- 1331 - This user can't sign in because this account is currently disabled.
- 1909 - The referenced account is currently locked out and may not be logged on to.