Microsoft account lockout tools

This article outlines the process to identify and resolve account lockout in an Active Directory environment. Process 1) Change lockout policy according to Microsoft RecommendationThe lockout policy's ultimate goal is to protect against automated password guessing (brute-force attack) and as such, the value should be high enough so that accounts are not accidentally locked out by an end user or incorrect saved password.As per the following articles, I would recommend the following lockout settings Account lockout threshold 50 Reset account lockout counter after 10 minutes Enabling AuditingIdentifying the source of the account lockouts in a complex environment will be virtually impossible without auditing enabled.Please note: Only events that occurred after enabling auditing will be logged. It also might be necessary to increase Security log file sizeIn addition to the above, the following might provide some extra clues to the source of the lockout. After setting these values, additional logs can be found in Event Viewer, Applications and Services Log/Microsoft/Windows/NTLMPath: Computer Configuration\Windows Settings\Local Policies\Security OptionsSetting: Network Security: Restrict NTLM: Audit Incoming NTLM TrafficValue: Enable auditing for all accountsSetting: Network security: Restrict NTLM: Audit NTLM authentication in this domainValue: Enable All3) Identify source device that lockout occurred on3.1) Event CombPart of Account Lockout and Management Tools a useful tool in a pinch.Please note: Built-in search for account lockout is not using the newer event IDs. To search newer IDs, add 4625 4740 4771 4768 4776 to the listFor details on these events, see gathered events from selected domain controllers will be saved into text files in the temp folder3.2) Lockout StatusPart of Account Lockout and Management Tools you start tool you specify the user account to inspect.Please note: If the lock device is a Domain Controller, you have to follow the trail until you get to the actual source device name3.3) AD AuditSee personal favorite, AD Audit makes finding the source account that locks device super easy, just use built-in reports4.1) PowershellFindUserBadPwdAttempts 4) Identify the source process that locked the account4.1) NetWrix Account Lockout ExaminerSee NetWrix Account Lockout Examiner on another computer. After that run it and point to the device that

6.10. Troubleshooting Account Lockout ProblemsProblemA user is having account lockout problems and you need to determine where it is getting locked fromand how it is getting locked out.SolutionUsing a graphical user interface LockoutStatus is a new toolavailablefor Windows 2000 or Windows Server 2003 that can help identify whichdomain controllers users are getting locked out. It works by queryingthe lockout status of a user against all domain controllers in theuser’s domain.To determine the lockout status of a userOpen LockoutStatus and select File →Select Target from the menu.Enter the target user name and the domain of the user.Click OK.At this point, each domain controller in the domain will be queriedand the results will be displayed.DiscussionThe Lockoutstatus.exe tool is just one of manythat are available in the new “Account Lockout andManagement” tool set provided by Microsoft. Thesenew lockout tools are intended to help administrators with accountlockout problems that are very difficult to troubleshoot given thetools available under Windows 2000. Along with the tool mentioned inthe Solution Section, here are a few others that are included in theset: ALockout.dll A script that uses this DLL called EnableKerbLog.vbs is included with the toolset that can be used to enable logging of application authentication.This can help identify applications using bad credentials that arecausing account lockouts. ALoInfo.exe Displays services and shares that are using ...

How many account lockouts do you deal with every day? Troubleshooting account lockouts has always been an IT admin’s daily task: either employees forget their passwords or accounts lockout due to a significant increase in authentication requests on domain controllers. On top of that, account lockouts can also be a sign of the Conficker virus (also known as Downup, Downadup or Kido), which performs brute-force attacks against accounts in a network, or of a password change on a service account.Here is a list of free tools that can help you quicker investigate the root cause of an account lockout and prevent decreases in productivity:Tool #1. Netwrix Account Lockout ExaminerThis is a free tool that helps IT staff identify lockout root causes in a single keystroke. The freeware enables you to do the following:Identify root causes of lockouts. The tool gets you to the root of the problem in a single click, whether it’s improperly mapped network drives, services or scheduled tasks running under stale credentials, or an outdated password saved on a mobile deviceMinimize troubleshooting time. The tool helps you slash troubleshooting time by 90% with easy root cause investigation. It allows to find even the most complex lockout reasons in minutes so you know exactly what needs to be fixed.Reduce the pressure on your help desk. The tool empowers IT team to quickly troubleshoot user issues, and minimize business downtime whenever a service account from a critical app or a domain controller gets locked out.Tool #2. Account Lockout Status toolsThis is a set of tools Microsoft offers to help you with account lockout troubleshooting:exe collects and filters events from the event logs of domain controllers. This tool has a built-in search for account lockouts. It gathers the event IDs related to a certain account lockout in a separate text file.exe examines all DCs in a domain, letting you know when the target account last locked out and from which DC. In addition, it provides the locked-out account’s current status and the number of bad password attempts.Netlogon logging is used to track Netlogon and NT LAN Manager (NTLM) events. Enabling Netlogon logging on all DCs is an effective way to isolate a locked-out account and see where the account is being locked out. Although Netlogon logging isn’t part of the account lockout and management tools, NLParse.exe is used to parse the Netlogon logs, and NLParse.exe is one of the account lockout tools.Acctinfo exposes more properties in ADUC (Active Directory Users and Computers) (e.g., last logon and password expires). Specifically, with this add-on, you get an extra tab in ADUC called additional account info that helps isolate and troubleshoot account lockouts and change a user’s password on a domain controller on that user’s site.Tool #3. AD LockoutsThis simple utility tries to track the origin of Active Directory bad password attempts and lockouts. It can search each domain/domain controller for bad password attempts to access an account. It will then parse any related events on each domain controller and work out where

Skip to main content This browser is no longer supported. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Troubleshoot account lockout problems with a Microsoft Entra Domain Services managed domain Article02/19/2025 In this article -->To prevent repeated malicious sign-in attempts, a Microsoft Entra Domain Services managed domain locks accounts after a defined threshold. This account lockout can also happen by accident without a sign-in attack incident. For example, if a user repeatedly enters the wrong password or a service attempts to use an old password, the account gets locked out.This troubleshooting article outlines why account lockouts happen and how you can configure the behavior, and how to review security audits to troubleshoot lockout events.What is an account lockout?A user account in a Domain Services managed domain is locked out when a defined threshold for unsuccessful sign-in attempts has been met. This account lockout behavior is designed to protect you from repeated brute-force sign-in attempts that may indicate an automated digital attack.By default, if there are 5 bad password attempts within 2 minutes, the account will be locked. It will automatically unlock after 30 minutes.The default account lockout thresholds are configured using fine-grained password policy. If you have a specific set of requirements, you can override these default account lockout thresholds. However, it's not recommended to increase the threshold limits to try to reduce the number account lockouts. Troubleshoot the source of the account lockout behavior first.Fine-grained password policyFine-grained password policies (FGPPs) let you apply specific restrictions for password and account lockout policies to different users in a domain. FGPP only affects users within a managed domain. Cloud users and domain users synchronized into the managed domain from Microsoft Entra ID are only affected by the password policies within the managed domain. Their accounts in Microsoft Entra ID or an on-premises directory aren't impacted.Policies are distributed through group association in the managed domain, and any changes you make are applied at the next user sign-in. Changing the policy doesn't unlock a user account that's already locked out.For more information on fine-grained password policies,