Share via

Tracing the Source of Account Lockouts

  • Article

As an Active Directory administrator, you have no doubt experienced re-occurring account lockouts. Back in the day, you would need the investigative powers of a Mr Sherlock Holmes to get to the bottom of these little mysteries! Then, the Account Lockout Tools made the process somewhat easier. Now, though, we have the magnificence of PowerShell...

From Windows Server 2008 onwards, an account lockout event will register on the PDCe as event ID 4740 - 'a user account was locked out' - with the lockout source included. All we then need to do is collect these events!

Here's the sample code:

#Obtain user

$User = Read-Host -Prompt "Please enter a user name"

#Specify PDCe

$PDC = Get-ADDomainController -Discover -Service PrimaryDC

#Collect lockout events for user from last hour

Get-WinEvent -ComputerName $PDC `

-Logname Security `

-FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 3600000]] and EventData[Data[@Name='TargetUserName']='$User']]" |

Select-Object TimeCreated,@{Name='User Name';Expression={$_.Properties[0].Value}},@{Name='Source Host';Expression={$_.Properties[1].Value}}

 

The 'Obtain user' section uses Read-Host to prompt the operator for a user account that is locked out. The supplied name is then stored in $User for later use.

The 'Specify PDCe' section uses the Get-ADDomainController cmdlet, with its -Discover parameter, to locate the domain's PDCe. The domain controller found by the dclocator process is then stored in $PDC.

The final section moves up a gear or two. The Get-WinEvent cmdlet connects to the PDCe and looks at the Security log. A filter is then applied, using the XPath language. This language lets you do some really cool stuff with XML documents (from Windows Server 2008 onwards, events are stored as XML).

Let's break the expression down. We're first going to join and match two conditions from the 'System' node within each XML entry:

  • the first condition is easy, 'EventID=4740' - this matches any 4740 events
  • the second makes sure we collect events from the last hour - 'TimeCreated[timediff(@SystemTime) <= 3600000]

Next, we join the first two conditions to a third matched condition from the 'EventData node':

  • EventData[Data[@Name='TargetUserName']='$User'] - we look 'TargetUserName' and make sure it matches our supplied user name, stored in $User

Once we've matched all three conditions from the XPath expression, we pass any resultant, filtered objects on to the Select-Object cmdlet. Here, the time the event was created is displayed along with two custom headers. Let's look at one of them in more detail:

@{Name='User Name';Expression={$_.Properties[0].Value}}

Here, we create a header called 'User Name' and populate it with the first element from an array of the event's properties. The next Select-Object expression does something very similar, creating a header called 'Source Host' and populating it with the second element from the 'Properties' array.

Here's some sample output:

 

 

Again, PowerShell makes life's little administrative tasks much, much easier!

Finally, with the source host identified, experience tells me to look for stale RDP sessions, mapped drives, schedules tasks, etc., etc...

Comments

  • Anonymous
    January 01, 2003
    thanks
  • Anonymous
    January 01, 2003
    If you get RPC errors, in the first instance, update Get-WinEvent -ComputerName $PDC to Get-WinEvent -ComputerName $PDC.Name... after that, you're on your own ;)
    • Anonymous
      May 24, 2016
      Thanks, This helped me so much after my account kept constantly locking out. This found the source of the issue and voila... all sorted now.
  • Anonymous
    January 01, 2003
    The comment has been removed
  • Anonymous
    May 17, 2014
    Pingback from AD: Tracing the Source of Account Lockouts | MS Tech BLOG
  • Anonymous
    May 17, 2014
    Thanks
  • Anonymous
    December 16, 2014
    I've been looking for an easy way to do this for some time. This is spot-on, thanks
  • Anonymous
    February 06, 2015
    Excellant and helped me to find the account lockout for DGM
  • Anonymous
    March 23, 2015
    The comment has been removed
  • Anonymous
    April 20, 2015
    The comment has been removed
    • Anonymous
      September 19, 2016
      Should I just copy this as is and save it as a VBS?
  • Anonymous
    May 13, 2015
    Tried to run this, but it just prints out ALL of the events form my PDC to the screen. Can't see anything relating to account lockouts or even related to the user account. Any ideas?
  • Anonymous
    October 22, 2015
    The comment has been removed
  • Anonymous
    November 27, 2015
    What if we need to check before 15 to 20 days
  • Anonymous
    February 09, 2016
    Not only do we need machine, but what process on that machine. If it's not obvious, it can be very hard to know.
  • Anonymous
    February 09, 2016
    We used to be able to use ALockout.dll in 2003 but it no longer works in 2008 and up.
  • Anonymous
    June 09, 2016
    my traces account is locked how to lockout
  • Anonymous
    August 12, 2016
    Hi, this script is brilliant thank you but it runs incredibly slow, does anybody else experience this or is it something I can remedy?
  • Anonymous
    November 29, 2016
    strange i couldn't get that output: ProviderName: Microsoft-Windows-Security-AuditingTimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 11/30/2016 10:34:30 AM 4624 Information An account was successfully logged on.... 11/30/2016 10:34:30 AM 4768 Information A Kerberos authentication ticket (TGT) was requested.... 11/30/2016 10:34:30 AM 4634 Information An account was logged off.... 11/30/2016 10:34:30 AM 4634 Information An account was logged off....
  • Anonymous
    January 08, 2017
    The comment has been removed
    • Anonymous
      February 13, 2017
      Same error for me
  • Anonymous
    September 15, 2017
    The comment has been removed