Following are some short reference notes to MYSelf on how to trace account lockout in active directory environment’. An audit policy must be set on all computers and domain controllers.
Scenario:
We are running two domain controller and some times account lock out issue appears at user end. To trace which workstation is the fault point we use different methods to sort it.
1# Examine Domain Controllers Event Viewer
open Event Viewer on the DC, and goto Security tab, right click and select Filter Current Log, in <All Event ID> type 4740 & hit Ok. and you will see details for the offending account/workstation.
2# Use Powershell Scripts
2a) Trace offending account/workstations using single liner PS cmd …
You can also use powershell to get event log information for account lockouts events …
Get-Eventlog –ComputerName ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindDomainController() “Security” -InstanceID “4740” -Message *”USERNAME”* | Format-List Timegenerated, Message
Result:
TimeGenerated : 10/2/2018 9:37:34 AM
Message : A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: DC01$
Account Domain: MYDOMAIN
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: S-1-5-21-664357565-1371172752-1124750213-14855
Account Name: testid
Additional Information:
Caller Computer Name: UNKNOWN-PC
2.b#) PS Script to fetch information from all DC
Read following guide
Using Powershell to Trace the Source of Account Lockouts in Active Directory
in privilege powershell command prompt, create new script as below …
#script written by Alexandre Almeida
# for get user Account Lockout Host name, or ENTER to get all list
$username = Read-Host "Please Enter the Locked User Name: "
$DCCounter = 0
$LockedOutStats = @()
Try
{
Import-Module ActiveDirectory -ErrorAction Stop
}
Catch
{
Write-Warning $_
Break
}
#Get all domain controllers in domain
$DomainControllers = Get-ADDomainController -Filter *
$PDCEmulator = ($DomainControllers | Where-Object {$_.OperationMasterRoles -contains "PDCEmulator"})
Write-Verbose "Finding the domain controllers in the domain"
Foreach($DC in $DomainControllers)
{
# $DCCounter++
# Write-Progress -Activity "Contacting DCs for lockout info" -Status "Querying $($DC.Hostname)" -PercentComplete (($DCCounter/$DomainControllers.Count) * 100)
Write-Verbose "Finding the Which domain controllers Authenticate the Password"
Try
{
$UserInfo = Get-ADUser -Identity $username -Server $DC.Hostname -Properties LastLogonDate -ErrorAction Stop
Write-Verbose "Bad Password Attempt count collected"
}
Catch
{
# Write-Warning $_
Continue
}
If($UserInfo.LastBadPasswordAttempt)
{
$LockedOutStats += New-Object -TypeName PSObject -Property @{
Name = $UserInfo.SamAccountName
SID = $UserInfo.SID.Value
LockedOut = $UserInfo.LockedOut
BadPwdCount = $UserInfo.BadPwdCount
BadPasswordTime = $UserInfo.BadPasswordTime
DomainController = $DC.Hostname
AccountLockoutTime = $UserInfo.AccountLockoutTime
LastLogonDate = ($UserInfo.LastLogonDate).ToLocalTime()
}
}#end if
}#end foreach DCs
$LockedOutStats | Format-Table -Property Name,LockedOut,DomainController,BadPwdCount,AccountLockoutTime,LastBadPasswordAttempt -AutoSize
#Get User Info
Try
{
Write-Verbose "Querying event log on $($PDCEmulator.HostName)"
Write-Verbose "Collecting Event Log"
$LockedOutEvents = Get-WinEvent -ComputerName $PDCEmulator.HostName -FilterHashtable @{LogName='Security';Id=4740} -ErrorAction Stop | Sort-Object -Property TimeCreated -Descending
}
Catch
{
Write-Warning $_
Continue
}#end catch
Foreach($Event in $LockedOutEvents)
{
If($Event | Where {$_.Properties[2].value -match $UserInfo.SID.Value})
{
$Event | Select-Object -Property @(
@{Label = 'User'; Expression = {$_.Properties[0].Value}}
@{Label = 'DomainController'; Expression = {$_.MachineName}}
@{Label = 'EventId'; Expression = {$_.Id}}
@{Label = 'LockedOutTimeStamp'; Expression = {$_.TimeCreated}}
@{Label = 'Message'; Expression = {$_.Message -split "`r" | Select -First 1}}
@{Label = 'LockedOutLocation'; Expression = {$_.Properties[1].Value}}
)
Write-host $_.MachineName
}#end ifevent
}#end foreach lockedout event
Write-Verbose "Collected Details Update in the Text File. Please find the Text file for More Details"
echo "Cache Profile Removal Steps
1) Open Control Panel > Credential Manager > Remove all Saved Password.
2) Remove passwords by clicking on Start => Run => type (rundll32.exe keymgr.dll KRShowKeyMgr) without quotes and then delete the Domain-related passwords;
3) Remove passwords in Internet Explorer => Tools => Internet Options =>Content => Personal Information => Auto Complete => Clear Passwords;
4) Delete cookies in Internet Explorer => Tools => Internet Options =>General;
5) Disconnect (note the path before disconnecting) all networks drives, reboot, then map them again;
6) Start -> run ->type control userpasswords2 without quotes and go to advanced -> Manage passwords and remove all the stored passwords.
7) Reconfigure Your mobile Setting if your Active sync enabled.
8) Check if any saved or scheduled task is configured for user account
Microsoft Kwoledge Bytes Link for Cache profile Removal Steps:
https://social.technet.microsoft.com/Forums/windows/en-US/ced8eab6-87e2-4d20-9d18-7aaf5e9713a3/windows-7-clear-cached-credentials"
Result:
PS C:\temp> .\test2.ps1
Please Enter the Locked User Name: : testid
User : testid
DomainController : DC01.MYDOMAIN
EventId : 4740
LockedOutTimeStamp : 10/2/2018 9:54:35 AM
Message : A user account was locked out.
LockedOutLocation : UNKNOWN-PC
3) More Information:
https://activedirectorypro.com/account-lockout-tool/
https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/31/use-powershell-to-find-locked-out-user-accounts/
Email Account Lockout
https://community.spiceworks.com/how_to/11824-email-account-lock-out-notification