Good day,

I am having a problem with my DC accounts, they keep on locking the users out and then i would have to unlock the users. so i am not sure what to do. i have been struggling for months now.

Please assist urgently, as this thing irriatates the hell out of my Seniors when they are locked out.

It may help - Troubleshooting account lockout  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

• Proposed as answer by Ethan HuaMicrosoft contingent staff, Moderator 16 minutes ago

Hello,

Please check the Anitivirus on Domain controller. If possible run the full scan on DC.

Also check below are those common for account lockout. Run EventCOMBMT.exe tool to find the exact root cause on which machine your account is getting locked.

Event ID 531 : Account disabled
Event ID 532 : Account expired Event ID 535 : Password expired
Event ID 539 : Logon Failure: Account locked out
Event ID 644 : User account Locked out
Event ID 4740: A user account was locked out.(Windows 2008 & Windows 7)

Common cause for Account Lockout

Programs

Service accounts

Bad password threshold is set too low.

User logging on to multiple computers.

Scheduled tasks

Persistent drive mappings

Active Directory Replication

Disconnected Terminal Server Sessions

On the DC security logs look for event id 4740, find the user account in question, this event will record the machine that is locking them out.

From the event logs, you need to identify the source of logon failures. Once done, you need to check what might be wrong with the source system/application. This can help: https://dirteam.com/paul/2012/04/23/user-account-lockout-troubleshooting/

In case of the account lockout I would suggest you to do the following:

First Identity the Source from where the bad credentials are being getting generated, to do that please create the below mentioned group policy at domain level:

Audit Account Logon Events - Success and Failure

Audit Logon Events - Success and Failure

Account Management - Success

Then Enabled the Netlogon logging on all the domain controllers : Please refer the below mentioned article for this.

Enabling debug logging for the Net Logon service :- support.microsoft.com/en-us/kb/109626

The above article works for all the o/s

Let me know once you all above done.

• Proposed as answer by Ethan HuaMicrosoft contingent staff, Moderator 29 minutes ago

To effectively troubleshoot account lockout, you should first enable some auditing (as mentioned by Ankur above) at the domain level. Then analyze data from the Security event log files and the Netlogon log files to help you determine where the lockouts are occurring and why.
 
After you narrow down your scope to a specific client computer or member server, you should gather detailed information about all of the programs and services that are running on that computer. For example:
 
1. Mapped network drives
2. Logon scripts that map network drives
3. RunAs shortcuts
4. Accounts that are used for service account logons
5. Processes on the client computers
6. Programs that may pass user credentials to a centralized network program or middle-tier application layer
 
Some Account Lockout Tools might be helpful for the troubleshooting, more reference:
 
https://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx
 

Regards,

Eth