Share via


Active Directory - Troubleshooting Account Lockout information

Troubleshooting Account Lockout (Technet)

https://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Account Lockout and Management Tools

https://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Account Lockout Status (LockoutStatus.exe)

https://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=D1A5ED1D-CD55-4829-A189-99515b0E90F7
 

SCOM Alerts & Audit Collection Services

You should be able to setup an event collection on the Security event log for that lockout and a few other events so that you get an alert.  Here a just a few events that you could alert on to help monitor that account. 
 
Event ID 531 : Account disabled
Event ID 532 : Account expired
Event ID 535 : Password expired
Event ID 539 : Logon Failure: Account locked out
Event ID 644 : User account Locked out

These article have a pretty good list of other security event id’s that you can alert on as well. 

https://www.windowsnetworking.com/nt/atips/atips155.shtml

https://www.enterprisecertified.com/eSCOPTechnicalGuide.pdf

Comments

  • Anonymous
    May 28, 2011
    I liked your way of presentation. The information you provided is great, Thank you for this, and hope in future you will come with more knowledgeable information. Thanks

  • Anonymous
    February 16, 2014
    Check this and finish this problem http://farisnt.blogspot.ae/2014/02/why-ad-user-account-locked-out.html

  • Anonymous
    August 22, 2014
    As an option take a look at Netwrix Account Lockout Examiner, it involves a lot less of legwork. It's much more advanced version of ALTools from Microsoft and it's also completely free. The product automatically checks event logs on DCs, shows source IP or computer name, connects to that computers, checks if there are any processes running under that accounts (services, scheduled tasks, RDP sessions etc) and shows them all.