Troubleshoot AD account lockouts in a few clicks
using ADAudit Plus

Some of the most common causes of lockout are:

• Programs using cached credentials
• Expired cached credentials used by Windows services
• Low threshold for password attempts
• Employees logged on across multiple devices
• Redundant credentials retained for stored usernames and passwords
• Obsolete credentials used by scheduled tasks
• Improper shared drive mappings
• AD account replication issues

There are multiple tools that help to track down the source of repeated account lockouts, most of which are labor and time-intensive. They are:

Microsoft account lockout and management tools

Microsoft offers the LockoutStatus and EventCombMT tools. Though reliable and accurate, using Microsoft’s tools require multiple individual tools that need to be set up, routine manual investigation of every Windows component, and more.

PowerShell scripts

In addition to admins being aware of the scripting language, using PowerShell scripts requires manual setup of AD security auditing. It includes finding the domain controller that has the primary domain controller emulator role, tracking down Windows Event ID 4740 in security event logs, and analyzing the details of the event found.

Account lockout examiners

A third-party solution like ADAudit Plus, that can analyze various Windows components like scheduled tasks, COM objects, OWA, applications, and ActiveSync for signs of outdated credentials and improper mapping goes a long way in finding the source of repeated account lockouts quickly.

Although it is not possible to prevent all lockouts, implementing these three best practices can reduce their number significantly.

Enable the “Account lockout duration” policy

The account lockout duration depends on organization-specific information such as the user count or industry type. Setting the duration to zero will keep the account secure by locking the account until an admin unlocks it. However, this also results in excessive requests to the help desk.

The recommended duration is between 30 and 60 minutes

Leverage the “Account lockout threshold” policy

If the account lockout threshold is set too low, accidental lockouts will be frequent. This could also make the account vulnerable to denial-of-service attacks since it's easier for the attacker to intentionally enter the wrong passwords to lock the account. On the other hand, if the threshold is set too high, the probability of a successful brute-force attack increases, as the attacker has more opportunities to try and guess the credentials.

The recommended threshold is 15 to 50.

Configure the “Reset account lockout counter after” policy

While calculating the “reset account lockout counter after” value, organizations need to keep in mind the type and level of security threats they face and balance it with the cost of help desk calls. This value should be less than or equal to the account lockout duration.

The recommended setting is anything less than 30 minutes.