A common problem in Active Directory is identifying the source of account lockouts. If a password is modified and a user account gets locked, it can be a frustrating process to get the AD account re-enabled.
You can try the following steps to track the locked out accounts and also find the source of AD account lockouts. If you already know the locked out account then you can directly start from step 5 (to track source).
5 Steps total
Step 1: Search the domain controller possessing the PDC Emulator Role
Search the domain controller possessing the PDC Emulator Role
Get-AdDomain – This cmdlet searches for the domain controller with the role of a PDC emulator.
Step 2: Search for Event ID 4740
Go to the event log viewer of the DC and in its security logs, search for Event ID 4740
Step 3: Apply appropriate filters
You can apply filters in case you want a more customized report such as looking for lockouts occurring in the last hour, so as to find the recent lockout source of a particular user.
Step 4: Find the locked out user event report from the log
Click find from the actions pane to search for the User whose account is being locked out.
Step 5: Open the event report to track the source of the locked out account
Here you can find the name of the user account and the source of the lockout location as well in the ‘Caller Computer Name’ column.
Finding locked out users may seem difficult at times, especially when you’re doing it for the first time. However, event logs details allows you to keep track of AD accounts that are experiencing difficulty.