Troubleshooting Account Lockouts in Active Directory
The easiest way to troubleshoot account lockouts in Active Directory is to use the Event Viewer, which is built into Windows. Active Directory generates Windows Events messages for all of its actions, so our first task is to track down the right event log.
- Logon as an Administrator on your domain controller
- Open a PowerShell window, and at the command-prompt, type:
PS C:\> (Get-ADDomain).PDCEmulator
Make a note of the address for the PCD Emulator domain controller.
Note: If you receive the message "The term 'Get-ADDomain' is not recognized as the name of a cmdlet", you can execute the following to import the AD plugin:
- Type exit to close the PowerShell window.
- Open the event viewet on the Domain Controller shown as the PDC Emulator by expanding Windows Administrative Tools from the Start menu and clicking on the Event Viewer entry in that submenu.
- In event viewer, expand the Windows Logs node in the left panel. Click Security. to list Security events in the event viewer.
- In the right panel, click Filter Current Log, to open a popup window.
- In the Event IDs field replace
<All Event IDs>with4740. - Select a time horizon in the Logged drop-down list.
- (optionally) enter a
usernameor ahostnameif you are looking for a lockout on a specific user or resource. - Click OK.
- Double click on the entry that relates to the resource that interests you. This will open the Event Report.
- The Event Report will show you the user that was locked out, the computer that the event occurred on, and the source, or reason for the lockout.
PS C:\> import-module ActiveDirectory