ManageEngine x Forrester | Workforce Identity Platforms Landscape Report

Azure AD Management

Account Lockout Event ID: How to Find Account Lockouts  

In today’s digital landscape, security is a paramount concern for organizations. One common security challenge faced by system administrators is dealing with account lockouts. When an Active Directory user account gets locked, an account lockout event ID is generated and recorded in the Windows event logs. These event IDs provide crucial information about the lockout, such as the account name, time of the event, and the source computer responsible for the lockout. Understanding how to identify and analyze these event IDs is essential for troubleshooting and addressing account lockout issues effectively.

Introduction  

Account lockouts can occur due to various reasons, including incorrect passwords, brute-force attacks, or misconfigured applications attempting unauthorized access. When an account lockout event occurs, the corresponding event IDs, such as 4740 on domain controllers and 4625 on client computers, are logged in the Windows event logs. By examining these event IDs, administrators can pinpoint the source of the lockout and take appropriate actions to resolve the issue.

Understanding Account Lockout Event IDs  

Before diving into the process of finding account lockouts, it’s crucial to understand the two primary event IDs associated with lockout events. Event ID 4740 is logged on domain controllers when an Active Directory account is locked out, while event ID 4625 is logged on servers and workstations for both local and domain user account lockouts.

Enabling Account Lockout Events  

To begin tracking account lockout events, it’s important to configure the necessary audit policies and enable the appropriate settings. By following a few simple steps, administrators can ensure that account lockout events are logged in the Windows event logs.

  1. Open the Group Policy Management Console either on the domain controller or any computer with the Remote Server Administration Tools (RSAT) installed.
  2. Modify the Default Domain Controllers Policy by browsing to “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Audit Policies” -> “Account Management.” Enable both success and failure auditing for the “Audit User Account Management” policy.
  3. Next, enable the following settings under “Computer Configuration” -> “Policies” -> “Windows Settings” -> “Security Settings” -> “Advanced Audit Policy Configuration” -> “Logon/Logoff”:
  • Audit Account Lockout – Success and Failure
  • Audit Logoff – Success and Failure
  • Audit Logon – Success and Failure
  • Audit Other Logon/Logoff Events – Success and Failure

With these audit policies configured, account lockout events will be recorded in the security event logs, providing valuable information for troubleshooting.

Account Lockout Event ID 4740 on Domain Controllers  

Event ID 4740 is specifically logged on domain controllers when a user account lockout occurs. It provides essential information to help administrators identify the source of the lockout within the domain controller environment.

When troubleshooting account lockouts on domain controllers, it’s crucial to understand the various components of Event ID 4740 and how they contribute to the investigation process.

Understanding Event ID 4740 Components  

  1. Account Name: This component specifies the name of the user account that has been locked out.
  2. Account Domain: It identifies the domain in which the user account resides.
  3. Caller Computer Name: This component indicates the name of the computer from which the account lockout request was made.
  4. Caller Logon ID: It provides a unique identifier for the logon session that initiated the account lockout request.
  5. Caller User Name: This component specifies the name of the user associated with the logon session that initiated the account lockout request.
  6. Locked Account: It indicates the name of the locked-out user account.
  7. Lockout Time: This component displays the date and time when the account lockout occurred.

Analyzing each component of Event ID 4740 helps administrators gain insights into the lockout event’s origin and the corresponding user and computer involved.

Step-by-Step Instructions for Analyzing Account Lockout Event ID 4740  

To effectively analyze account lockout events using Event ID 4740 on domain controllers, follow these step-by-step instructions:

  1. Open Event Viewer: Launch the Event Viewer on the domain controller by pressing the Windows key + R, typing “eventvwr.msc” in the Run dialog, and pressing Enter.
  2. Navigate to Security Logs: In the Event Viewer, navigate to “Windows Logs” -> “Security” to access the security event logs.
  3. Filter Event ID 4740: Right-click on the “Security” log and select “Filter Current Log.” In the “Filter Current Log” dialog, enter “4740” in the “By source” field and click “OK.” This filters the log to display only Event ID 4740 entries.
  4. Analyze Event Details: Review each Event ID 4740 entry to gather information about the locked-out user account, the caller computer name, and the time of the lockout. Pay attention to the caller computer name, as it provides a clue about the source of the lockout.
  5. Investigate Caller Computer: With the caller computer name identified, proceed to investigate the potential causes of the lockout on the specific computer. This may involve checking for any running processes or services that might be using outdated credentials, verifying scheduled tasks, or examining network connection attempts originating from that computer.

By following these steps and analyzing Event ID 4740 entries, administrators can narrow down the source of account lockouts and take appropriate action to resolve the issue.

Account Lockout Event ID 4625 on Servers and Workstations  

Event ID 4625 is the primary event ID logged on servers and workstations when a local or domain user account lockout occurs. This event provides crucial information to help identify the source of the lockout and the reasons for the failed logon attempt.

When troubleshooting account lockouts on servers and workstations, understanding the components of Event ID 4625 and their significance is vital.

Understanding Event ID 4625 Components  

  1. Account Name: This component specifies the name of the user account that has been locked out.
  2. Account Domain: It identifies the domain in which the user account resides.
  3. Source Network Address: This component indicates the IP address or hostname of the computer from which the lockout request was made.
  4. Logon Type: Logon types define the type of logon attempt, such as interactive, network, or remote interactive logon.
  5. Failure Reason: It provides the reason for the failed logon attempt, which can assist in determining the cause of the lockout.

Analyzing each component of Event ID 4625 helps administrators gain insights into the lockout event, including the user account, the source network address, and the logon type and failure reason.

Step-by-Step Instructions for Analyzing Account Lockout Event ID 4625  

To effectively analyze account lockout events using Event ID 4625 on servers and workstations, follow these step-by-step instructions:

  1. Open Event Viewer: Launch the Event Viewer on the server or workstation experiencing the account lockout by pressing the Windows key + R, typing “eventvwr.msc” in the Run dialog, and pressing Enter.
  2. Navigate to Security Logs: In the Event Viewer, navigate to “Windows Logs” -> “Security” to access the security event logs.
  3. Filter Event ID 4625: Right-click on the “Security” log and select “Filter Current Log.” In the “Filter Current Log” dialog, enter “4625” in the “By source” field and click “OK.” This filters the log to display only Event ID 4625 entries.
  4. Analyze Event Details: Review each Event ID 4625 entry to gather information about the locked-out user account, the source network address, logon type, and failure reason. These details can help identify potential causes of the lockout, such as expired passwords, misconfigured applications, or unauthorized access attempts.
  5. Investigate Source Network Address: With the source network address identified, investigate the corresponding computer or IP address to determine if any suspicious activities or misconfigurations are leading to the account lockout. Check for any running processes, services, or scheduled tasks that may be causing the lockout.

By following these steps and analyzing Event ID 4625 entries, administrators can pinpoint the source of account lockouts on servers and workstations and take appropriate actions to resolve the issue.

Logon Types in Event ID 4625  

Event ID 4625 includes different logon types that provide insights into the type of logon attempt that resulted in the account lockout. Understanding these logon types helps administrators in their investigation process to identify the source of the lockout and the potential causes.

Logon TypeDescriptionDetailsExamples
2Interactive LogonThis logon type occurs when a user logs on to a computer– Console logon: When a user directly logs on to the computer’s console<br>- RUNAS command: When a user runs a program with different credentials<br>- Network KVM access: When a user accesses the computer remotely using a Keyboard, Video, and Mouse (KVM) switch
3Network LogonThis logon type occurs when a user accesses a remote resource– NET USE command: When a user establishes a network connection to a shared resource<br>- Remote Procedure Call (RPC) calls: When a user makes RPC calls to a remote server<br>- Remote registry access: When a user accesses the registry of a remote computer
4Batch LogonThis logon type occurs when a scheduled task runs– Scheduled tasks: When a task scheduled in the Windows Task Scheduler runs<br>- Batch scripts: When a batch script is executed
5Service LogonThis logon type occurs when a service starts or runs– Windows services: When a Windows service starts or runs under a specific account<br>- Background services: When a background service is initialized and requires authentication
7Unlock WorkstationThis logon type occurs when a user unlocks a locked workstation– Unlocking a locked workstation: When a user unlocks a computer that is locked due to inactivity or manual locking
8NetworkCleartext LogonThis logon type occurs when a user logs on using clear-text credentials– IIS Basic Authentication: When a user authenticates to an IIS web server using basic authentication<br>- Windows PowerShell with CredSSP: When a user uses Windows PowerShell with CredSSP (Credential Security Support Provider) for authentication
9NewCredentials LogonThis logon type occurs when a user logs on with new credentials while already logged on– RUNAS command with the /NETWORK option: When a user runs a program with different credentials and specifies the /NETWORK option
10Remote Interactive LogonThis logon type occurs when a user logs on remotely– Remote Desktop connection: When a user establishes a remote desktop session to a computer<br>- Remote administration: When a user remotely manages a server or workstation
11Cached Interactive LogonThis logon type occurs when a user logs on using cached credentials– User logging in using locally cached credentials: When a user logs on to a computer using credentials that were previously cached locally
12Cached Remote Interactive Logon (Terminal Services)This logon type occurs when a user logs on to a remote Terminal Services session using cached credentials– User accessing Terminal Services using cached credentials: When a user logs on to a remote Terminal Services session using credentials that were previously cached locally
13Cached Unlock (Terminal Services)This logon type occurs when a user unlocks a locked Terminal Services session using cached credentials– Unlocking a Terminal Services session: When a user unlocks a locked Terminal Services session using credentials that were previously cached locally
14ClearText Password Logon (Credential Manager)This logon type occurs when a user logs on using saved credentials stored in Credential Manager– Logon using saved credentials in Credential Manager: When a user logs on to a computer using credentials that were previously saved in the Credential Manager
15Network Logon with ClearText Password (Credential Manager)This logon type occurs when a user logs on using saved network credentials stored in Credential Manager– Logon using saved network credentials in Credential Manager: When a user logs on to a network resource using credentials that were previously saved in the Credential Manager

The following are the common logon types found in Event ID 4625:

  1. Logon Type 2: Interactive Logon – This logon type occurs when a user logs on to the local computer interactively, either at the physical console or through a Remote Desktop session.
  2. Logon Type 3: Network Logon – This logon type happens when a user accesses resources on a remote computer over the network, such as accessing shared folders or printers.
  3. Logon Type 10: Remote Interactive Logon – This logon type occurs when a user connects to a computer remotely using Remote Desktop Services (RDS) or a similar remote access protocol.

Analyzing the logon types in Event ID 4625 can help administrators identify the entry point of the failed logon attempt and narrow down the potential causes, such as a compromised user account, unauthorized access attempts, or misconfigured application services.

By correlating the logon types with other event details, administrators can gain a better understanding of the lockout event and take appropriate actions to resolve the account lockout.

Remember to apply these troubleshooting steps and logon type analysis in conjunction with other security measures and best practices to ensure a comprehensive approach to account lockout prevention and resolution.

How to Quickly Find the Source of Account Lockouts  

Finding the source of account lockouts can be a time-consuming process, especially in large and complex environments. However, there are several methods and tools available to streamline this task and expedite the troubleshooting process.

Using Event Viewer to Find Account Lockouts  

The Event Viewer is a built-in Windows tool that allows administrators to view and analyze event logs. To find account lockouts using the Event Viewer, follow these steps:

  1. Open the Event Viewer by pressing the Windows key + R, typing “eventvwr.msc” in the Run dialog, and pressing Enter.
  2. Navigate to “Windows Logs” -> “Security” and look for event ID 4740 (on domain controllers) or event ID 4625 (on servers and workstations).
  3. Filter the events by the specific account name experiencing lockouts or by other relevant parameters such as the source IP address or logon type.
  4. Analyze the event details to identify the source computer responsible for the lockout.

Using the Event Viewer provides a manual approach to finding account lockouts, but it can be time-consuming, especially when dealing with multiple log entries and extensive event logs. For more efficient methods, consider utilizing PowerShell commands or specialized tools.

PowerShell Commands for Finding Account Lockouts  

PowerShell offers powerful cmdlets that allow administrators to automate the process of finding account lockouts. The following PowerShell commands can be used to retrieve account lockout events:

# Find account lockouts in event ID 4740 (on domain controllers)
Get-WinEvent -FilterHashtable @{LogName=’Security’; ID=4740} | Select-Object -Property TimeCreated, Message

# Find account lockouts in event ID 4625 (on servers and workstations)
Get-WinEvent -FilterHashtable @{LogName=’Security’; ID=4625} | Select-Object -Property TimeCreated, Message

These commands retrieve the relevant events and display the time of the event along with the event message, which contains detailed information about the lockout.

Troubleshooting Account Lockouts with Event ID 4625  

Event ID 4625 contains valuable information that can assist in troubleshooting account lockouts. When analyzing these events, pay attention to the following details:

  • Account name: Identify the specific user account experiencing lockouts.
  • Source IP address: Determine the IP address of the computer attempting the logon.
  • Logon type: Understand the type of logon, whether it’s an interactive logon, network logon, or remote interactive logon.
  • Failure reason: Look for error codes or failure reasons that provide insight into the cause of the lockout.

By combining this information with other logs and network monitoring tools, administrators can identify potential causes such as misconfigured applications, expired passwords, or malicious activities.

Summary  

Account lockouts can be a frustrating issue for both users and system administrators. However, by understanding the account lockout event IDs, enabling the necessary audit policies, and utilizing tools like the Event Viewer, PowerShell commands, and the AD Pro Toolkit, administrators can efficiently find the source of account lockouts. Timely resolution of account lockouts helps ensure the security and smooth operation of an organization’s digital infrastructure.

FAQ  

Q1: Can account lockouts be caused by expired passwords?
A1: Yes, expired passwords are one of the common causes of account lockouts. When a user’s password expires, failed logon attempts can trigger an account lockout event.

Q2: Can malware or unauthorized access attempts cause account lockouts?
A2: Yes, malware or unauthorized access attempts can lead to account lockouts. Brute-force attacks, where automated tools attempt various combinations of usernames and passwords, can trigger account lockouts when the system detects multiple failed logon attempts.

Q3: Is it possible to prevent account lockouts caused by misconfigured applications?
A3: Yes, ensuring that applications and services are configured correctly can help prevent account lockouts. Configurations such as using service accounts with appropriate permissions and properly configuring password settings can minimize the occurrence of lockouts.

Q4: Can I unlock a locked-out account without finding the source of the lockout?
A4: Yes, as an administrator, you can manually unlock a locked-out account without identifying the precise source of the lockout. However, it is generally recommended to investigate and address the underlying cause to prevent future lockouts.

Q5: How often should I check for account lockout events?
A5: It is advisable to regularly monitor account lockout events, especially if your organization frequently experiences lockout issues. Setting up automated scripts or using specialized tools can help streamline the monitoring process and alert you to any lockout events promptly.

Conclusion  

Account lockouts can be a frustrating challenge for organizations, but with the right knowledge and tools, administrators can efficiently identify and resolve them. By understanding the account lockout event IDs, enabling the necessary audit policies, and utilizing tools like the Event Viewer, PowerShell commands, and the AD Pro Toolkit, administrators can quickly find the source of account lockouts and take appropriate actions to restore user access and ensure the security of their digital environment. Regular monitoring and proactive measures can help mitigate account lockout issues, promoting a secure and seamless user experience.

Related posts
Azure Active DirectoryAzure AD Management

How to implement app registration in Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to register apps using Microsoft Entra ID

Azure Active DirectoryAzure AD Management

How to implement device enrollemnt via Microsoft Intune

Azure Active DirectoryAzure AD Management

Manage Identities in Microsoft Entra ID

×

There are over 8,500 people who are getting towards perfection in Active Directory, IT Management & Cyber security through our insights from Identitude.

Wanna be a part of our bimonthly curation of IAM knowledge?

  • -Select-
  • By clicking 'Become an insider', you agree to processing of personal data according to the Privacy Policy.