We may earn a commission if you make a purchase through the links on our website.
The Best Account Lockout Analyzers
UPDATED: August 8, 2024
Account lockouts can be complicated because they are rarely a straightforward issue of an error in Active Directory.
Here is our list of the best account lockout analyzers:
- ManageEngine ADAudit Plus – EDITOR'S CHOICE This large package of AD-related account management tools includes automated detection and remediation processes for account lockout events. Available for Windows Server, AWS, and Azure. Start a 30-day free trial.
- Netwrix Account Lockout Examiner Examine and analyze each lockout event with this efficient and effective package. Runs on Windows.
- Microsoft Account Lockout and Management Tools A suite of tools that identifies lockouts and works out the reasons for them. Runs on Windows and Windows Server.
- Lepide Active Directory Account Lockout Tool This free utility discovers locked accounts and documents them, providing assistance for investigations into their causes and a method to unlock them. Available for Windows Server.
- Quest Enterprise Reporter for Active Directory Get assessment reports for a range of account conditions in Active Directory and Entra ID including lockouts. Runs on Windows Server.
- SolarWinds Access Rights Manager This management interface for multiple Active Directory instances implements continuous scans of account events, alerts when lockouts occur, and offers details of each event. Runs on Windows Server.
- CJWDEV AD Info A flexible reporting tool that provides on-demand scans of a domain controller, listing accounts by status, including an option for lockout detection. Available in free and paid versions. Runs on Windows.
The majority of account lockout incidences don’t affect a user account across the board. A blanket problem with an account in Active Directory is easy to fix – there is an error in the AD record. However, if a user is reporting a problem with logging into just one application while all other access works, then you have other issues to look at.
Dealing with a user-reported access problem can be a headache but it is better to spot problems before the users are aware of them. Automated lockout analyzers look through Windows Event Logs and Active Directory records and deduce a problem. Such a tool would then raise an alert and highlight the system error. This could be set up to provide automated responses or a report that leads a technician to a solution.
Unsurprisingly, sophisticated monitoring tools that can spot problems before the users are expensive, and not everyone is prepared to pay out for a lockout prevention system. There are many lockout reporting systems that are available for free.
The Best Account Lockout Analyzers
What to consider when finding your account lockout analyzer
The concept of analysis is a little broad and you might be looking for a system to just detect an account lockout so you can get to AD and unlock the account. You might be in the market for a tool that can spot the causes of irregular account statuses, such as a replication error. So, there are many types of tools that could do the job that the title of this review describes.
We looked for these services:
- A scanner for Active Directory that will list locked accounts
- A system that will raise an alert as soon as a lockout occurs
- A package that is able to provide details of the event that caused the lockout
- The ability to cover multiple domains and multiple domain controllers per domain
- Options to view reports in a dashboard or print them out
- Storage for statistics for long-term account lockout analysis
- A fair price that matches the functionality on offer
Basically, you won’t get all of these features from a free tool, but we have included free locked account listing utilities. We know that a lot of our readers are just looking for useful utilities to have on hand for quick inquiries.
1. ManageEngine ADAudit Plus – FREE TRIAL
ManageEngine ADAudit Plus provides analysis of user activity and file integrity monitoring. Rather than offering a management interface for Active Directory, this package exploits the data in AD to see what users are up to. The tool accesses data in Active Directory all the time, and one of its functions is an examination of lockout events.
Key Features:
- Live lockout detection: You don’t need to run a report to find out that an account has been locked
- Information on other system errors: Alerts in the dashboard might show a problem that caused the lockout
- Lockout background: See a list of all the recent events on the locked account
- Option to automate responses: Set up a script to run automatically and unlock an account
- Historical analysis: Look through lockout event records to see if there is a common cause
Why do we recommend it?
ManageEngine ADAudit Plus is one of the few fully automated lockout detection and remediation systems available. This package has many more functions that relate to security, however, looking at its lockout management service, you can choose the degree of automation that it will implement. Get an alert as soon as a lockout occurs.
I found that this package is our top pick in this review because it provides the most automation in detecting and reversing locks on accounts in Active Directory of all the systems currently available on the market. However, you might not be looking for so much functionality, which is why we have more tools on this list and didn’t end this review here.
Who is it recommended for?
This system is useful for any business that uses Active Directory as its access rights manager. There are many more functions in this tool besides its lockout analyzer, and the need for those functions will influence the decision to buy the package. The ADAudit Plus system is particularly important for larger businesses where users have been given access to many applications, any of which could suddenly impose a lockout.
Pros:
- Additional security features: File integrity monitoring and user behavior analytics
- Anomaly analysis: Identification of unusual behavior that could have caused lockouts
- Provides compliance reporting: SOX, HIPAA, PCI DSS, GLBA, FISMA, GDPR, and ISO 27001
- Account takeover detection: The lockout could be a valid security mechanism
- Deployment options: Run on premises or on the cloud
Cons:
- There is no SaaS version: You can host it on the cloud buy that will be on your own account
ADAudit Plus is available for Windows Server, AWS, and Azure. ManageEngine offers this package on a 30-day free trial.
EDITOR'S CHOICE
ManageEngine ADAudit Plus is our top pick for an account lockout analyzer because this package will be active all around your system, identifying insider threats, account takeovers, and password cracking attempts. This work lays the groundwork for possible explanations for account lockouts because the security features of ADAudit Plus might have been the mechanism that caused the account to be locked. If the user account has not been involved in suspicious activity, ADAudit Plus will alert the user to the unexpected lockout and provide background information about the event. Information on each account lockout is stored and provides source data for historical analysis. This assists systems administrators when they are fine-tuning security policies over issues such as the number of allowed login attempts. The historical analysis might also reveal a faulty application that is locking out users unnecessarily. The tool will keep your system secure while still being available for appropriate use. Automated responses can speed up lockout resolution, and activity logging for all actions helps with compliance reporting.
Download: Start a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/active-directory-audit/sem/lp/windows-ad-user-account-keeps-getting-locked-out.html
OS: Windows Server, AWS, and Azure
2. Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner is a single-function utility, so it isn’t anywhere near as extensive as ADAudit Plus. However, it does its one task well and better still, it is free to use.
Key Features:
- Single account checker: Give the tool an account to look at
- List an account’s events over time: Provide a date range
- Confirms a lockout: Tests the account
- Lists devices and applications: Shows all the assets where the account is faulty
Why do we recommend it?
Netwrix Account Lockout Examiner is a simple tool. You need to know about a locked account from somewhere else because the account name is one of the required inputs to the tool. The utility will show all the devices and applications that the account is used to but not working.
I noted that this is a handy tool but it requires a lot of manual effort to get a lockout explained and resolved. However, it is free and you can’t expect the world when you aren’t paying anything.
Who is it recommended for?
This is a handy utility to have on the computer to assist with manual investigations. You first need to know about a locked account – information that you might get from a user’s complaint. The tool will tell you which DCs to check by identifying where the account is used. You will then have to check each manually.
Pros:
- Scans all domains: Produces a summary for a given account
- Shows Event Log extracts: Can provide guidance on the cause of the lockout
- Easy to install: Runs on Windows
- Free to use: There is no paid version
Cons:
- Not available for Linux or macOS: Also no cloud version
Netwrix Account Lockout Examiner is only available for Windows. Download the tool for free.
3. Microsoft Account Lockout and Management Tools
Microsoft Account Lockout and Management Tools is provided for free by Microsoft for the examination of lockouts. This would be the obvious top pick for our review, except that the package requires you to skip from utility to utility in order to discover and resolve a lockout. Another detraction is that the tool was written in 2019 and hasn’t been updated since.
Key Features:
- A suite of tools: All the utilities are installed from one installer
- Scans multiple DCs: Looks everywhere for a given account
- Includes an Event Log viewer: Shows where the lockout occurred
Why do we recommend it?
Microsoft Account Lockout and Management Tools is a suite of investigation utilities provided by the creator of Active Directory. This seems like it should be the top pick on this list but it isn’t easy to use, and the package doesn’t provide any discovery automation or resolution features.
I learned that this package provides more or less the same features as the Netwrix tool but spread across a number of different programs. Thus, you have to open a number of utilities instead of operating in a single interface.
Who is it recommended for?
This tool is great for those who prioritize Microsoft products above all other systems. It seems to make sense to use an account investigation tool that comes from the makers of Active Directory. Administrators who aren't locked into the Microsoft mindset would probably prefer the Netwrix tool.
Pros:
- A Microsoft tool: From the makers of Active Directory
- Runs on Windows: The natural home of Microsoft products
- Free to use: Permanently free, not a free trial
Cons:
- Doesn’t have any automation: Requires a lot of manual steps
The Account Lockout and Management Tools install on Windows. Download the tool for free.
4. Lepide Active Directory Account Lockout Tool
Lepide Active Directory Account Lockout Tool is a strong rival to the Netwrix Account Lockout Examiner – the two tools are almost identical. This system will scan all DCs for evidence of lockouts on a specific account.
Key Features:
- Scans multiple domain controllers: Looks for a given account
- Lists errors: Shows where the account is locked
- Provides a brief description: This is taken from the Event Log related to the lock
Why do we recommend it?
Lepide Active Directory Account Lockout Tool is a handy free tool for exploring an account that you know has been locked. You will need some other tool to discover locked accounts or you could wait until the user complains. The service can save discoveries in a file on demand.
I discovered that rather than providing an option to see the relevant Event Log extract in a details screen, this tool shows a summary of the event on the record in the discovery screen. The account can easily be unlocked thanks to the presence of a button in the report screen.
Who is it recommended for?
This tool has the same strengths and weaknesses as the Netwrix tool, and so has the same audience. The tool does not scan for locked accounts – you have to already know of a lockout and enter the account name in order to get a report.
Pros:
- Provides an unlock button: Easily restore locked accounts
- Offers an option to save data: Store the lockout information in a log file
- On-premises system: Runs on Windows Server
Cons:
- Requires an account name as input: You need to already know that an account has been locked
This tool is available for Windows Server and you can download it for free.
5. Quest Enterprise Reporter for Active Directory
Quest Enterprise Reporter for Active Directory scans Active Directory on-premises and Entra ID (Azure AD) on the cloud and picks out objects according to specific attributes and their values. That is, select a report about locked accounts or run a report about accounts soon to expire. There are many report options in the menu of the tool, and the account lockout report is just one of them.
Key Features:
- A range of reports: Select a topic from a menu
- Suitable for hybrid systems: Covers Active Directory and Entra ID
- Snapshots: Compare records between two points in time
Why do we recommend it?
Quest Enterprise Reporter for Active Directory provides a long list of reports, which are, essentially, searches of an Active Directory instance. Some reports will run through the entire DC, while others can be limited to focus on one specific record.
I observed that the Quest Enterprise Reporter system is also available for other technologies, such as Microsoft 365, Exchange Server, Windows Server, OneDrive for Business, SQL Server, and file storage.
Who is it recommended for?
This package is a good alternative to the free Netwrix Account Lockout tool for administrators who want to discover all locked accounts without having to resort to another tool or wait for a user to complain.
Pros:
- Scans for a range of Microsoft products: Quest Enterprise Reporter has other modules apart from the Active Directory reporter
- On-premises system: Installs on Windows Server
- On-demand reports: Scheduling is also possible
Cons:
- No price list: You have to request a quote
This package runs on Windows Server and it is available for a 30-day free trial.
6. SolarWinds Access Rights Manager
SolarWinds Access Rights Manager provides an admin interface for Active Directory. This interface provides better functionality than the Active Directory Users and Computers screen and includes a reporting module. One of the reports available in the package is an account lockout scan.
Key Features:
- Scan for locked account: Searches through multiple DCs
- Hybrid system: Connects to Entra ID as well as on-premises Active Directory
- Mechanism to unlock accounts: A simple process
Why do we recommend it?
SolarWinds Access Rights Manager gives you a better administration console for Active Directory than that provided by Microsoft. Once you have this tool set up, you won’t need to use the native screens of AD anymore. This package can monitor multiple domain controllers, including those on Entra ID.
I noticed that the reports of the Access Rights Manager can be set to run automatically on a schedule. The service includes reports for compliance management that follow GDPR, HIPAA, and PCI DSS.
Who is it recommended for?
This package is suitable for larger organizations. SolarWinds doesn’t offer a free edition for small businesses, and there is no subscription option. You have to buy the software on a perpetual license and it is only available for Windows Server.
Pros:
- Records all login attempts: Accumulates data on failed logins
- Alerts for account problems: Highlights possible reasons for account lockouts
- Registers account lockouts: Shows which account is locked in which DCs
Cons:
- Not available as a SaaS package: This is an on-premises package
The software for Access Rights Manager is available for Windows Server and you can get it on a 30-day free trial.
7. CJWDEV AD Info
CJWDEV AD Info is available in free and paid versions. The free edition includes the package’s reporting module, and this could provide a useful facility for administrators who do not want to pay for account lockout analysis tools. It is possible to run a report per domain and list this with the Account Is Locked Out flag set.
Key Features:
- Free option: Account lockout data is available in the free edition
- View results in the interface: Optionally write reports to CSV files
- Scan any other user account attribute: Check a box for each attribute that you want to see
Why do we recommend it?
CJWDEV AD Info provides a solution for administrators who want to use the free Netwrix or Lepide tools. Those systems require that you know that an account is locked out before you run them. CJWDEV can provide a list of locked out accounts that you can then check one by one with the other tools.
I found that this is a handy tool to have available because it includes a record browser. It will read in all the records in your AD domain controller so you can then scan through them. Facilities in the interface allow you to sort, search, and group records.
Who is it recommended for?
This is a useful tool for any administrator – especially in its free version. Combining this package with the Netwrix Account Lockout Examiner or the Lepide Active Directory Account Lockout Tool to discover and unlock accounts.
Pros:
- Simple tool: Easy to understand
- Cause investigations: Look for failed logins
- On premises software: Runs on Windows
Cons:
- Per DC scans: Won’t search across DCs
The software for CJWDEV AD Info runs on Windows and you can download it for free.