Troubleshooting Active Directory Account Lockouts with Lockoutstatus.exe

Hey Checkyourlogs Fans,

Today, let’s tackle a frustrating issue: recurring user account lockouts. This headache can affect any website or app lacking proper security measures. Recently, we ran into this problem with a fictional user named Dave at one of our clients’ sites. But beyond being annoying, we were concerned it might signal a hacker attempting to disrupt our network by locking out random accounts.

So, we decided to document our troubleshooting steps to get to the bottom of it. Our main concern was the potential threat of a denial-of-service attack targeting our network through these account lockouts. With Dave’s account being repeatedly locked out, we knew we had to act fast to prevent any further disruptions. In the following paragraphs, we’ll outline the systematic approach we took to identify and fix the root cause of these lockouts.

Step-by-Step Troubleshooting:

1. Download Account Lockout Status Tool:
   • First, head to the Official Microsoft Download Center and grab the Account Lockout Status tool (LockoutStatus.exe). This tool will help us track and analyze account lockout events on our network.  Download Account Lockout Status (LockoutStatus.exe) from Official Microsoft Download Center
2. Run LockoutStatus.exe:
   • Once downloaded, run the LockoutStatus.exe application.
3. Select Target User:
   • Navigate to the “File” menu and select “Select Target.”
   • Please enter the username of the user experiencing the lockouts (in our case, Dave) and press OK

     

4. Query Domain Controllers:
   • The tool will query all the Domain Controllers (DCs) in your network and display the Bad Password Count on each DC, indicating the number of failed login attempts.
5. Check Event Viewer on DC:
   • Log into one of the DCs and open the Event Viewer.
   • Expand “Windows Logs” on the left pane and select “Security.”
   • Click “Filter Current Log” on the right pane and enter “4740,” the lockout event ID.

     

6. View Lockout Events:
   • You’ll see a listing of accounts locked out on that specific DC.
   • Double-click on one of the events to view detailed information.
7. Analyze Lockout Details:
   • Scroll down to analyze the details of the lockout event. Look for information on the source of the lockout, such as the workstation or application involved.
   • In our case, we found that Dave’s account was being locked out due to bad password attempts while logging into email (likely webmail).
8. Identify Culprit Workstation/Application:
   • If a user continues to get locked out, it’s likely due to a process or task running on a computer with outdated or incorrect credentials.
   • In our scenario, we discovered that Dave’s account was being locked out by bad password attempts on an old workstation (Workstation12) he had previously logged into.
   • We shut down the workstation, and the Bad Password Count on the lockout tool did not increase further, indicating that the computer was indeed the culprit.
9. Further Investigation:
   • While we identified the workstation causing the lockouts, the specific process or task responsible remains unknown. Further investigation into the system is needed to pinpoint the exact cause.

And there you have it! By following these steps, we were able to identify and mitigate the recurring user account lockouts on our network. Remember, swift and systematic troubleshooting is key to resolving such issues and maintaining network security.

Thanks for tuning in!

Dave