When you as IT get reported from users that the account is locked, do the following:
- Go to the domain controllers, start event viewer, in windows log->security, click on “filter current log”, enter “4625,4740” as event ID to the box called “<All event IDs> to filter those audit failure and account lockout message.
- Check the time when user is locked, find the entry and see the details.
- If you see the “workstation name” or “caller computer” is blank, or see
“MICROSOFT_AUTHENTICATION_PACKAGE_V1_0” there the locking is NOT from domain computers, most probably from mobile device, reason maybe using Microsoft NPS(network policy server) to authenticate wireless login, or forget to update email password in mobile device after password change.
Here is a source mentioned other causes of locking:
Extract from it:
There may be many causes for account locked out.
•user’s account in stored user name and passwords
•user’s account tied to persistent mapped drive
•user’s account as a service account
•user’s account used as an IIS application pool identity
•user’s account tied to a scheduled task
•un-suspending a virtual machine after a user’s pw as changed
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
You can also install Account Lockout and Management Tool:
If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check
scheduled tasks/services to nail down or log user out of the system identified if logged in.
Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO’s), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).
Refer below link for more step on trroubleshooting accout lockout.
Also see reference:
Powershell script to search all DCs for the locked event.
Get-Eventlog –ComputerName ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).FindDomainController() “Security” -InstanceID “4740″ -Message *”USERNAME”* | Format-List Timegenerated, Message