Active Directory - Troubleshooting Account Lockout information
Troubleshooting Account Lockout (Technet)
https://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Account Lockout and Management Tools
Account Lockout Status (LockoutStatus.exe)
SCOM Alerts & Audit Collection Services
You should be able to setup an event collection on the Security event log for that lockout and a few other events so that you get an alert. Here a just a few events that you could alert on to help monitor that account.
Event ID 531 : Account disabled
Event ID 532 : Account expired
Event ID 535 : Password expired
Event ID 539 : Logon Failure: Account locked out
Event ID 644 : User account Locked out
These article have a pretty good list of other security event id’s that you can alert on as well.
https://www.windowsnetworking.com/nt/atips/atips155.shtml
https://www.enterprisecertified.com/eSCOPTechnicalGuide.pdf
Comments
Anonymous
May 28, 2011
I liked your way of presentation. The information you provided is great, Thank you for this, and hope in future you will come with more knowledgeable information. ThanksAnonymous
February 16, 2014
Check this and finish this problem http://farisnt.blogspot.ae/2014/02/why-ad-user-account-locked-out.htmlAnonymous
August 22, 2014
As an option take a look at Netwrix Account Lockout Examiner, it involves a lot less of legwork. It's much more advanced version of ALTools from Microsoft and it's also completely free. The product automatically checks event logs on DCs, shows source IP or computer name, connects to that computers, checks if there are any processes running under that accounts (services, scheduled tasks, RDP sessions etc) and shows them all.