Quick Reference Guide

Account Lockout Troubleshooting

Windows 2003-2012R2

Microsoft Account Lockout and Management Tools

To effectively troubleshoot account lockout, enable auditing on the domain level for
the security events and change some of the settings for the Security event logs as
described in Active Directory Auditing Quick Reference Guide.

To View Saved
Credentials on a
Given System:

Microsoft Account Lockout and Management Tools are included with AlTools.exe

Start > Run >

rundll32 keymgr.dll,
KRShowKeyMgr > OK

LockoutStatus Tool

One can also use Netplwiz

(Windows Server 2008 or above):
Start > Run > type in: netplwiz > OK
Click Advanced tab and then click
Manage Passwords.

that is available at http://url2open.com/msaltools. Download and install the AlTools

package on your domain controller.

This tool displays information about a locked out account with its User State and
Lockout Time on each Domain Controller and allows to unlock it right -clicking
the corresponding entry.

Run the LockoutStatus.exe > File menu > Select target > Define Target User Name
and Target Domain Name > OK

EventCombMT Tool
This tool gathers specific events from several different servers to one central
location.

Run the EventCombMT.exe > Right Click on Select to search field > Choose Get DCs
in Domain > Mark your Domain Controllers for search

Click the Searches menu > Built In Searches > Account Lockouts

NOTE: for Windows Server 2008 and above replace Event ID field values with 4740

Click Search and wait for the process to complete the operation.
After the search is done the output directory contains the log files for the domain
controllers where events with the specified Event IDs were found.

Possible Root Causes for Account Lockouts

Persistent drive mappings with expired credentials

Mobile devices using domain services like Exchange mailbox
Service Accounts using cached passwords
Scheduled tasks with expired credentials
Programs using stored credentials
Misconfigured domain policy settings issues

Enable Netlogon
Logging:
Start > Run > type in:
nltest /dbflag:2080ffff > OK
After you restart Net Logon
service, related activity may be
logged to
%windir%/debug/netlogon.log

Disable Netlogon
Logging:
Start > Run > type in:
nltest /dbflag:0 > OK
Dont forget to disable Netlogon
logging after you have captured
events as performance of system
may be slightly degraded by
logging process.

Disconnected Terminal Server sessions

Netwrix Account Lockout Examiner Free Tool

netwrix.com/go/ale
Install Netwrix Account Lockout Examiner that defines accounts with access to Security event logs
during setup.

Open Netwrix Account Lockout Examiner console.

Navigate to File > Settings > Managed Objects tab > Add > Specify Domain and Domain
Controllers > Close settings window.

All accounts list contains locked, unlocked and manually added accounts.
To examine an account for possible lockout reason click an arrow next to Examine button to get
the result for all the workstations in the specified domain or Examine on to specify workstation
manually.

Corporate Headquarters:
300 Spectrum Center Drive, Suite 1100,
Irvine, CA 92618

Toll-free: 888-638-9749

Int'l: 1-949-407-5125
EMEA: 44 (0) 203-318-0261

netwrix.com/social