How to Identify Active Directory Account Lockout Source

Summary Active Directory account lockouts are often triggered by hidden sources such as cached credentials, services using old passwords, or malicious attempts. This guide shows how to use Event Viewer and PowerShell to identify the exact computer or process causing the lockout to fix the root cause and prevent it from happening again.

Have you ever unlocked a user account only to hear, “It’s locked again” a few minutes later? As an administrator, you know that account lockout policies are a vital shield against attackers guessing their way into your Active Directory domain. However, when lockouts become frequent and repetitive, they quickly turn from a security feature into a major productivity drain.

That’s why it’s essential to identify the account lockout source and cause in Active Directory before unlocking any account. Finding where the lockout originated reveals the root cause, explains why it happened, and ensures the issue is fixed before restoring access.

In this blog, we will explore:

Here’s a concise look at what happens behind the scenes when repeated failed sign-ins lead to an account lockout in Active Directory:

The process begins when an administrator configures an account lockout policy—defining the lockout threshold, lockout duration, and reset counter.

Now that you have a grasp of the basics, you will need the right tools and prerequisites to pinpoint the source of these lockouts.

Account lockouts do not occur without an account lockout policy configured through the a Group Policy Object or Fine Grained Password Policies. While these policies trigger the lock, enabling appropriate audit logs is the only way to make those events traceable.

The following checks ensure your environment is prepared to capture and surface these events without gaps. Performing these actions requires Domain Admin privileges.

1. Enable auditing for account lockouts
2. Enable remote event log access using Group Policy

Auditing account lockouts ensures that every failed sign-in attempt is recorded in the Security log, giving you the evidence needed to trace where each lockout originated. To enable auditing for account lockouts:

1. Open Server Manager and launch Group Policy Management. Expand your forest and select the domain you want to modify.
2. Right-click the appropriate GPO and select Edit. If you want to create a new GPO instead, right-click the appropriate container and select Create a GPO in this domain, and Link it here.
3. In the GPM Editor, navigate to:

Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies

4. From here, configure the following audit categories:
   For Event ID 4740 (Account Lockout – DC scope)
   • Go to Account Management → open Audit User Account Management.
   • Select Configure the following audit events.
   • Enable Success and Failure and then click OK to save the policy.

5. For Event ID 4625 (Failed Logon – Domain scope)

• Go to Logon / Logoff and enable Success and Failure for:
  • Audit Account Lockout
  • Audit Logon

Note: Enable 4740 auditing in the Default Domain Controllers Policy or equivalent, as lockout events are generated on DCs. Enable 4625 auditing in the Default Domain Policy or equivalent to capture failed sign-ins from all clients and services. Together, these settings ensure every failed attempt and lockout is logged, giving you the event data needed to trace the account lockout source.

In addition, increase the Security log size in Event Viewer to prevent critical lockout events from being overwritten—especially in high-traffic environments with frequent authentications.

Tracing account lockouts with Event Viewer is traditionally slow and manual—you jump from the DC (Event ID 4740) to the client machine (Event ID 4625), repeating this process for every incident. During mass lockouts, this back-and-forth quickly becomes impractical.

That’s where enabling Remote Log Event Access becomes invaluable. It allows you to use Event Viewer’s Connect to Another Computer feature to investigate both the Domain Controller and the source system from a single machine.

1. Open Group Policy Management and either edit the Default Domain Policy or right-click the appropriate OU and select Create a GPO in this domain, and Link it here option.
2. Then navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Windows Defender Firewall with Advanced Security > Inbound Rules.
3. Right-click Inbound Rules and select New Rule.
4. Choose Predefined under What type of rule would you like to create?
5. From the drop-down, select Remote Event Log Management and click Next.

6. Select all three rules below and click Next:
   • Remote Event Log Management (RPC): The main data highway used to actually transmit the event log data and management commands.
   • Remote Event Log Management (NP-In): A backup connection method that allows log access through the file-sharing protocol (SMB) instead of dedicated RPC ports.
   • Remote Event Log Management (RPC-EPMAP): Acts as the directory service that tells your computer which specific network port to use for the connection.

7. Choose Allow the connection and click Finish.
8. Then, right-click the newly created rule and select Properties → Advanced.
9. Under Profiles, enable only Domain and clear the other profiles, such as Private and Public. This ensures that remote event log access is allowed only on the domain joined machines and prevents access from systems connected to private or public networks.

Tip: To apply the configured Group Policy objects immediately, run gpupdate /force in Command Prompt or Windows PowerShell.

You can identify exactly which computer or service is causing a user account to lock in Active Directory using either Event Viewer or PowerShell. To do this, you need at least Event Log Reader privileges to access the security events that reveal the lockout source.

You can trace the account lockout source in Event Viewer using these two steps:

1. Identify the source computer on the Domain Controller
2. Connect to the source computer and find failure events

Here is how to find AD user lockout events and determine the time and specific computer causing the lock.

1. To trace a lockout accurately, identify the DC holding the PDC Emulator role using the following PowerShell command:

2. Open Event Viewer, right-click Event Viewer (Local), and select Connect to Another Computer.
3. Enter the name of the PDC Emulator in the Another computer field and click OK. Skip this step if you are already logged in to the current PDC Emulator of the domain.

4. Navigate to Windows Logs → Security.
5. Select Filter Current Log and search for Event ID 4740 (A user account was locked out). Open the event and review these fields:
   • Account Name – The locked user
   • Caller Computer Name – The source machine causing the lockout
   • Time Generated – When it occurred

The Caller Computer Name pinpoints the device responsible—often a workstation or server. For RDP sessions using NLA authentication, this field records the host machine that initiated the connection, rather than the remote system the user attempted to access.

1. Open a new Event Viewer instance, right-click Event Viewer (Local), and select Connect to Another Computer.
2. Enter the computer name or IP address of the caller computer in the Another Computer field, then click OK. You can also use Browse to search and select the client machine.
   
   Note: If the Caller Computer Name in Event ID 4740 points to a host machine that initiated the connection through RDP, it indicates that the actual lockout source may lie beyond that system. In such cases, you must repeat the following steps on all computers in the domain to find the exact lockout source of the respective lockout event.

3. Once connected, query the source computer’s logs for failed sign-ins by navigating to Windows Logs → Security.
4. Select Filter Current Log, enter Event ID 4625, and click OK (An account failed to log on).
5. Match the timestamps with the corresponding 4740 events on the Domain Controller and review the related 4625 failures around that time.
6. Review the event details for Account Name, Logon Type, and Process Name to determine whether the failures come from a service, scheduled task, or application.

Even tracing account lockouts across multiple Event Viewer instances can be tedious and time-consuming. PowerShell streamlines this process by instantly revealing the reason and the source where user locked out in Active Directory.

Ensure the Active Directory module is available and imported on your machine, then execute the following PowerShell script:

Once after execution, the script immediately returns key details such as the lockout time, affected user, caller computer name, process name, logon process name, and event logged computer.

After exploring the hurdles involved in tracing an account lockout source, why not switch to the easiest approach? AdminDroid’s Active Directory Lockout Source report slices and dices lockout data to place every critical detail right at your fingertips — no DC hopping, no scripts, no complexity.

The following are the most common errors encountered while tracing account lockout sources, along with clear guidance on how to resolve them.

• Error 1: An object (Computer) with the following name cannot be found: “<ComputerName>”.

This error occurs when Event Viewer cannot locate the specified computer in Active Directory.

Solution: Check that the correct computer object and location are selected and confirm that the computer name is entered accurately.

• Error 2: Computer “<ComputerName>” cannot be connected.

This error occurs when you attempt to connect to another computer through Event Viewer where remote event log access is not properly enabled.

Solution: Ensure the computer name is correct, the machine is powered on, and it is reachable on the network. Also, verify that the required Windows Firewall inbound rules for remote event log access are enabled on the target computer.

• Error 3: Get-WinEvent: Attempted to perform an unauthorized operation.

This error occurs when PowerShell connects to another computer, but remote event log access isn’t permitted on the target system. It can also occur when the user lacks sufficient privileges to read the Security logs.

Solution: Confirm the computer name is correct, the machine is online and reachable, and the required remote event log access is enabled on the target computer. Also, ensure that you have sufficient privileges.

• Error 4: Get-WinEvent: The RPC server is unavailable

This issue occurs when the DC cannot connect to the target computer while the PowerShell script attempts to retrieve its event logs.

Solution: Perform the following checks to resolve this error:

• Enable the Remote Event Log Management inbound rules in the firewall settings on the target computer.
• Ensure the Remote Procedure Call (RPC) service is running.
• Verify network connectivity using ping and confirm proper DNS resolution for the computer.

1. PDC & DC Visibility: While the PDC Emulator is the primary authority for lockouts, it is not a single point of failure. If the PDC is unreachable or experiencing replication lag, any available Domain Controller (DC) can process the lockout.

2. Role Transfer or Seizure Impact: When the PDC Emulator role is transferred or seized, upcoming account lockout events are logged on the new role holder. During this transition, lockouts may appear on other domain controllers, so ensure all DCs are included in your investigation. In cases where the existing role holder is decommissioned from the domain, lockouts logged there are not accessible.

3. Environment-Wide Lockout Event Capture: The given script’s approach of querying all DCs for 4740 and querying all domain-joined computers for the 4625 is the most reliable way to capture events across the entire environment.

4. Timestamp Correlation: When matching Event 4740 with 4625, allow for a few seconds of tolerance to account for logging delays or clock skew, especially in newer infrastructure setups.

5. Blank Caller Names: If Event 4740 lacks a “Caller Computer Name,” the lockout likely originated from a service, an outdated protocol (NTLM), or a non-Windows device where IP tracking becomes essential.

6. Infrastructure Availability: Comprehensive investigation requires consistent access to logs across all Domain Controllers (DC), Workstations (WS), and Member Servers (MS) to trace the original login attempt. If any machine involved in the lockout or its processing is offline or disabled, it can prevent you from obtaining accurate results.

7. LockoutStatus.exe: This is a specialized Microsoft utility that shows an account’s lockout state and password metadata across all domain controllers. However, it requires you to manually query each target user account one at a time, making it less efficient for bulk investigations or environments where multiple users experience frequent lockouts.

In conclusion, identifying the account lockout source is the key to effective troubleshooting. We hope this blog eases that process for you. Thanks for reading! Share your thoughts or questions in the comments—we’d love to hear from you.