Wednesday, October 11, 2023

// // 4 comments

Step by Step Guide How to find the user Account Lockout Source Computer and Application

 In Today's post, I will discuss an easy way to find the source Computer and Application for your Account lockouts. Many End Users save their password somewhere in the Services, Applications, and Batch file and forget to update it after password changes. This is not a good practice to keep passwords in applications, scheduled tasks, and Windows services. It is always recommended to use GMSA accounts for Windows services or to use a dedicated service account for Windows services.


There are many reasons behind your Account Lockouts.


1. Services using your old login credentials
2. Applications using old login credentials
3. Network drives Mapped using expired Windows login credentials
4. Windows Scheduled Tasks using expired login password.

1. How to find source Computer Name from Domain Controller Security Events.

 
When the Administrator configures the domain controller, they configure the Account lockout threshold, which helps to lock the user account in case anyone tries to use/hack your account. This is very helpful to secure your login account and company Infrastructure. The account Threshold can be set to specify the number of times a user can attempt to log in using the wrong credentials before it locks out. Whenever your account gets locked out, it generates Event ID 4740. To find out the source of the Account lockout, login to the domain controller. Open Event Viewer-> Security Events     

                                                                                  

                                                    

The on Right side Pane click on Filter Current Logs-> In All Event ID's type 4740 and click on OK to search for Event ID 4740.

 

  

 

A user account was locked out.

Subject:
    Security ID:        SYSTEM
    Account Name:        MY-AD$
    Account Domain:        AzureHowTos
    Logon ID:        0x007

Account That Was Locked Out:
    Security ID:        AzureHowTos\Azure
    Account Name:        Azure

Additional Information:
    Caller Computer Name:    PC-01 

As you can see above my user account is locked out and the source is PC-01. So I need to check PC-01 and what's is going on there.

2. How to Find the Application which is locking out my user Account.

Its easy to find the source computer, but event ID 4740 does not show the application which is locking out your computer account. There is one easy way to find the Application which is locking out your computer.

1. Login to the end users computer and Open PowerShell ISE as an Administrator.

2. Copy and Paste below script in it and run. Note - Replace Computer-Name with source/your computer name.

$filter = @{LogName = "Security"; Id = 4625; StartTime = (Get-Date).AddDays(-5)}

$lockouts = Get-WinEvent -ComputerName PC-01 -FilterHashTable $filter -MaxEvents 1 -ErrorAction 0

$lockouts| Select @{Name = "LockedUserName"; Expression = {$_.Properties[5].Value}}, `
@{Name = "LogonType"; Expression = {$_.Properties[10].Value}}, `
@{Name = "LogonProcessName"; Expression = {$_.Properties[11].Value}}, `
@{Name = "ProcessName"; Expression = {$_.Properties[18].Value}}


3. Here you can see that my user account locked out by Windows Service. This will help you to narrow down the issue and find the source application which is locking out your user account.


Read More