How to Find the Source of Active Directory Account Lockouts

Get guided on how you can easily find the lockout source in AD

Reading time icon 4 min. read

Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

Key notes

  • Getting information about the lockout source in your Active Directory will help you rectify the problem.
  • You can use Windows PowerShell or Group Policy Editor on your PC, but they have limitations.
  • Otherwise, you may use our recommended tool to quickly get the job done in no time.
Auditing your network resources and having accurate information about your devices is essential. ADAudit Plus is a tool that comes with professional-level features to provide:
  • Document changes tracking and monitoring
  • Detailed overview of login and logoff activity
  • SOX, PCI, HIPAA, GDPR compliances
  • Simple and fast implementation

Get now the best network auditing tool for your infrastructure.

Auditing the Active Directory is very important as it can help you review the access rights to important decisions and also monitor who is creating a new account. By default, Active Directory does not audit all your security events. We have a complete guide on how to install Active Directory on Windows Server.

One of the most common problems that an admin of the Active Directory face is how to identify the source of frequent account lockouts. Thankfully, in this guide, we will give you a detailed solution on how to find the account lockout source in Active Directory.

How can I find the source of Active Directory account lockouts?

1. Use the Group policy editor

  1. Login to the domain controller with admin privileges.
  2. Press Win + R keys to open the Run dialogue.
  3. Type gpedit.msc and hit Enter.
  4. Expand Computer Configuration.
  5. Select Windows Settings.
  6. Expand Security Settings.
  7. Choose Local Policies.
  8. Click on Audit Policy.
  9. Open Audit process tracking and check the Success and Failure boxes.
  10. Click OK.
  11. Open Audit logon events and check the Success and Failure boxes.
  12. Click OK.
  13. Press the Win key to open the Start menu.
  14. Type Event Viewer and open it.
  15. Search for the Security log for event ID 4625.
  16. You will find the source of Active Directory account lockouts.

2. Use Windows PowerShell

  1. Press the Win key to open the Start menu.
  2. Search for Windows PowerShell and open it as an admin.
  3. Type the below command and press Enter to install the PowerShell Active Directory module. Install-WindowsFeature RSAT-AD-PowerShell
  4. You can verify the installation by running the below command. Get-WindowsFeature -Name RSAT-AD-PowerShell
  5. Run the below command to find the locked-out user account. Search-ADAccount -LockedOut | FT Name,ObjectClass -A
  6. You will see a list of locked accounts.

While this method may seem pretty easy as you only have to run a few commands, this process will only give you a list of names of the accounts that are locked out. It won’t give you the exact reason for the lockout.

For that, we would suggest you check out the below solution.

3. Use a dedicated tool

  1. Download ManageEngine ADAudit Plus.
  2. Install the program on your PC.
  3. Launch the program.
  4. Click on Reports at the top menu bar.
  5. Select Active Directory.
  6. Click on User Management.
  7. Select Account Lockout Analyzer.
  8. Click on Details under the ANALYZER DETAILS section.
  9. You will now see the possible reasons behind each account lockout.

Using the ManageEngine ADAudit Plus tool, not only do you get other benefits, but you also get comprehensive details on how to find account lockout source in Active Directory.

Speaking of other features, you can track down the lockout source faster, improves desk efficiency, and productivity is improved, server downtime is minimized, and get compliance standards such as GDPR, SOX, HIPAA, FISMA, PCI DSS, and GLBA.

Over 10,000+ organizations across the globe are using the services of the ManageEngine ADAudit Plus tool with their Active Directory.

ManageEngine ADAudit Plus

A well-packed and complete Active Directory Auditing and Reporting tool.
Check price Visit website

How to perform account lockout analysis?

Now that you have got your report on the account, analyzing it and getting meaningful information from it is very important.

  1. In the Account Lockout Analyzer, you will who, when and where, and even why of every lockout. It can be exported to formats such as CSV, PDF, XML, and HTML.
  2. Clicking on Details gives you the entire information which would have been pretty tedious when using Event Viewer or PowerShell.
  3. The Recent Logon history of the user is the main area that will help you narrow the source of the account lockout. This section gives you details such as:
    • User name
    • Client IP address
    • Client host name
    • Domain controller
    • Logon time
    • Event type
    • Failure reason
    • Event number

You can also check out our guide on how you can enable Active Directory users and computers in Windows 10 as well as Windows 11.

Feel free to let us know your views on which solution you made use of to answer your query on how to find the account lockout source in Active Directory.