Am I locked out? Where? How?

CoolCryEmbarassedFoot in MouthFrownInnocentKissLaughingAccount lockout feature is one of the powerful methods in order to prevent password related attacks. Using this method victim user account will be locked out after a number of failed attempts in a specific period of time. This feature has found its way to a lot of other technologies these days. My cellphone will be locked out after three wrong passwords and will not be able to work for about 2 minutes.
Although this policy can help you to prevent attackers from guessing user’s password, it is important to consider the risk provided by this solution in your environment because authorized users can lock themselves by mistyping their passwords when they do not remember the password. This problem can be quite costly for your organization, because locked out accounts will be unable to logon unless their accounts unlocks automatically after specific period of time or get unlocked by an administrator. 
It is a common question for administrators to find out where a user has been locked out? Well, you have secured your user account against password guessing attacks like brute-force but what can you do when a user gets locked out? In most cases the administrators are struggling to find the root cause of the lock out. Now I show you how this is pretty easy.
Firstly you need to understand that lockout events are stored in PDC emulator’s event viewer with 4740 event ID’s. So basically you have to filter your Security log for this specific event and go through all of them to check where a user has locked out. Unfortunately there is no built-in feature that helps you to filter for specific username, it means you have to go through all of the events and check one by one. But here comes the magic!
There is a nice Powershell script byJason Walker (Perfect TechNet Boy!) which can be downloaded fromhere. It basically do all you want in a simple click! It finds the PDC emulator in your environment, connect to it, search for 4740 events and filter all those huge events according to the user accounts which you are looking for. 
After downloading, copy the script in a folder in your PDC emulator. Open up a Powershell with ‘Run as administrator’ and then navigate to the folder containing the script. Now you have to make your script dot sourced. Just type the name with extension and drop a (.) at the very beginning of the sentence and hit Enter.
Now let us check a sample user lock out information. Use the cmdlet with –Identity parameter and type the samaccountname of the locked out user. Example:
Get-LockedOutLocation -Identity t.aghayari
After a while summary of report will appear. Check the LockedoutLocation and that is the place which you should start your investigations.
I have another article about investigating why the user account is locked out from a workstation which can be foundhere.
Just as a note, Jason did a very good job about the script, so it is appreciated to rate his script if you find it useful. 

About Mahdi

Post Archive

Sticky RIS settings in 'Default Domain Policies'?

Written By Mahdi Tehrani on Friday, 19 January 2018 08:56

Limit Active Directory user login to 1 session

Written By Mahdi Tehrani on Wednesday, 02 August 2017 10:21

The auditor of auditors: 'LepideAuditor Suite'

Written By Mahdi Tehrani on Tuesday, 23 May 2017 10:56

Protect your domain against WannaCry malware

Written By Mahdi Tehrani on Sunday, 14 May 2017 09:42

‘List Object Mode’ in Active Directory, a myth or future settings?

Written By Mahdi Tehrani on Thursday, 13 April 2017 08:47