![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 67%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDK%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
5,852 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Hi,
Method 1: Using PowerShell to Find the Source of Account Lockouts
The event ID 4740 needs to be enabled so it gets locked anytime a user is locked out. This event ID will contain the source computer of the lockout.
- Open the Group Policy Management console. This can be from the domain controller or any computer that has the RSAT tools installed.
- Modify the Default Domain Controllers Policy
Browse to the Default Domain Controllers Policy, right click and select edit.
3. Modify the Advanced Audit Policy Configuration
Browse to computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management
Enable success and failure for the “Audit User Account Management” policy.
Auditing is now turned on and event 4740 will be logged in the security events logs when an account is locked out.
Step 2: Find the Domain Controller with the PDC Emulator Role
If you have a single domain controller (shame on you) then you can skip to the next step…hopefully you have at least two DCs.
The DC with the PDC emulator role will record every account lockout with an event ID of 4740.
To find the DC that has the PDCEmulator role run this PowerShell command
get-addomain | select PDCEmulator
Step 3: Finding event ID 4740 using PowerShell
All of the details you need is in event 4740. Now that you know which DC holds the pdcemulator role you can filter the logs for this event.
On the DC holding the PDCEmulator role open PowerShell and run this command
Get-WinEvent -FilterHashtable @{logname=’security’; id=4740}
This will search the security event logs for event ID 4740. If you have any account lockouts you should a list like below.
To display the details of these events and get the source of the lockout use this command.
Get-WinEvent -FilterHashtable @{logname=’security’; id=4740} | fl
This will display the caller computer name of the lockout. This is the source of the user account lockout.
You can also open the event log and filter the events for 4740
Hope this information can help you
Best wishes
Vicky
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 65%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 57.00000000000001%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENE%3C/text%3E%3C/svg%3E)