5 min read
Symptom
Account Lockouts in Active Directory
Additional Information
“User X” is getting locked out and Security Event ID 4740 are logged on respective servers with detailed information.
Reason
The common causes for account lockouts are:
Troubleshooting Steps Using EventTracker
Here we are going to look for Event ID 4740. This is the security event that is logged whenever an account gets locked.
2. Select search on the menu bar
3. Click on advanced search
4. On the Advanced Log Search Window fill in the following details:
Once done hit search at the bottom.
You can see the details below. If you want to get more information about a particular log, click on the + sign
Below shows more information about this event.
Now, let’s take a closer look at 4740 event. This can help us troubleshoot this issue.
Resolution
Logon into the computer mentioned on “Caller Computer Name” (DEMOSERVER1) and look for one of the aforementioned reasons that produces the problem.
To understand further on how to resolve issues present on “Caller Computer Name” (DEMOSERVER1) let us look into the different logon types.
How to identify the logon type for this locked out account?
Just like how it is shown earlier for Event ID 4740, do a log search for Event ID 4625 using EventTracker, and check the details.
Logon Type 7 says User has typed a wrong password on a password protected screen saver.
Now we understand what reason to target and how to target the same.
Applies to
Microsoft Windows Servers Microsoft Windows Desktops
Contributors
Ashwin Venugopal, Subject Matter Expert at EventTracker Satheesh Balaji, Security Analyst at EventTracker
Download the Whitepaper
10 min read
7 min read