Why My Windows Active Directory Domain Account is Locked out?

When there are too many login attempts occurred, the account used to attempt will get locked out. By default, after 5 bad password attempts the domain account will be locked out by the Active Directory server. To get to the bottom of why the account is being locked out, here are a few tips and tricks you can try.

Which domain controller has PDC Emulator Role

Running the follow PowerShell cmdlet will let you identify which domain controller possesses the PDC Emulator Role

(Get-AdDomain).pdcemulator

Where is the account getting locked out

Once find which domain controller has the PDC Emulator role, open the Event Viewer on that server and look for all events that have the ID “4740” in the Security log.

Event Viewer Security filter for 4740 - Why My Windows Active Directory Domain Account is Locked out?

Then, double-click the event to open it up, you will find out on which machine the account was getting locked out.

Event Viewer 4740 event 600x417 - Why My Windows Active Directory Domain Account is Locked out?

Once identified, you can unlock the account to re-enable the user.

The Account Lockout tool

Microsoft has a free portable tool called Account Lockout tool that is quite useful to identify the reason why and when a specified account is locked out.

Run the tool on a domain controller, specify the account ID and it will take care the rest.

Account Lockout Tool

Leave a Reply

Your email address will not be published. Required fields are marked *