How to Track Source of Account Lockouts in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Track Source of Account Lockouts in Active Directory

 

2. Step 1 – Search for the DC having the PDC Emulator Role

 â€“ Running this cmdlet will search for the domain controller having the role of a PDC emulator.Get-AdDomainThe DC (Domain Controller) with the PDC emulator role will capture every account lockout event ID 4740. In case you have only one DC then you can skip this step.

3. Step 2 – Look for the Account Lockout Event ID 4740

Open the event log viewer of the DC. Go to the security logs, and search for the Event ID 4740.

4. Step 3 – Put Appropriate Filters in Place

There are suitable filters to generate a more customized report. For example, you can search for a lockout which occurred in the last hour, and find the recent lockout source of a particular user.

5. Step 4 – Find Out the Locked Out Account Event Whose Information is Require

Click on the “Find” button in the actions pane to look for the User whose account has been locked out.

6. Step 5 – Open the Event Report, to Find the Source of the Locked account

Here you can find the name of the user account in the “Account Name”, and the source of the lockout location as well in the ‘Caller Computer Name’ field.