It is a common question for administrators to find out where a user has been locked out. Well, you have secured your user account against password guessing attacks like brute-force but what can you do when a user gets locked out? In most cases the administrators are struggling to find the root cause of the lock out. Now I show you how this is pretty easy.
Firstly you need to understand that lockout events are stored in PDC emulator’s event viewer with 4740 event ID’s. So basically you have to filter your Security log for this specific event and go through all of them to check where a user has locked out. Unfortunately there is no built-in feature that helps you to filter for specific username, it means you have to go through all of the events and check one by one. But here comes the magic!
There is a nice Powershell script by Jason Walker (Perfect TechNet Boy!) which can be downloaded from here. It basically do all you want in a simple click! It finds the PDC emulator in your environment, connect to it, search for 4740 events and filter all those huge events according to the user accounts which you are looking for.
After downloading, copy the script in a folder in your PDC emulator. Open up a Powershell with ‘Run as administrator’ and then navigate to the folder containing the script. Now you have to make your script dot sourced. Just type the name with extension and drop a (.) at the very beginning of the sentence and hit Enter.
Now let us check a sample user lock out information. Use the cmdlet with –Identity parameter and type the samaccountname of the locked out user. Example:
Get-LockedOutLocation -Identity t.aghayari
After a while summary of report will appear. Check the LockedoutLocation and that is the place which you should start your investigations.
I have another article about investigating why the user account is locked out from a workstation which can be found here. Just as a note, Jason did a very good job about the script, so it is appreciated to rate his script if you find it useful.