Share via

Problem with account blocked in Problem with account blocked in active directory

Mikołaj Wojdyło 0 Reputation points
2024-04-30T06:48:45.12+00:00

Problem with account blocked in active directory

I have a problem with several Active Directory accounts. The account on the new computer is blocked at random times (this is not a problem with incorrect password entry).

I was able to check the basic problems and: 1. the computer has no data saved in the credential manager

  1. does not store old login details, e.g. on another device
  2. mapped drives using old credentials is not connected
  3. system not using old cached credentials
  4. windows Services not using expired credentials
  5. scheduled Tasks not using domain credentials.

I see this message in the event viewer: Event ID: 4740

A user account was locked out.

Subject:

Security ID: SYSTEM

Account Name: XYZ-DC01$

Account Domain: XY

Logon ID: 0x3E7

Account That Was Locked Out:

Security ID: XY\XYZ

Account Name: XYZ

Additional Information:

Caller Computer Name: PR_XYZ what else can cause a problem with account blocking on a new computer where the only application installed is Office365?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,971 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 18,956 Reputation points Microsoft Vendor
    2024-04-30T07:57:15.9266667+00:00

    Hello Mikołaj Wojdyło,

    Thank you for posting in Q&A forum.

    On this new computer, you can check these domain accounts are locked by any app (word, excel or OneDrive...) included in Office365.

    If you cannot find what locked these accounts, you can try to enable the following audit policy settings on this new machine.

    Legacy audit policy:

    Audit logon events –> Success and Failure

    Audit process tracking –> Success and Failure

    After the account locked out again, check if you can see any event ID via Security log on this new machine.

    I hope the information above is helpful.

    If you have any questions or concerns, please feel free to let us know.

    Best Regards,

    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. MukeshAgarwal-MSFTE 0 Reputation points
    2024-05-06T18:39:31.03+00:00

    Event ID 4740 may not be the right event to look into the issue. An account is locked after it crosses the account lockout threshold. So if you see 4740, then you should also see authentication failure requests.

    What is the account lockout threshold? You can check it by running 'net accounts' from any domain joined machine or DCs.

    Filter the PDC security events for 4771, 4776 to find auth failure. If you see caller workstation as another DC, then that DC is getting the problematic call. Navigate to that DC and filter the security events again to check for caller workstation.

    Check few instances to confirm, if the caller workstation is same everytime. Login to the machine which is in caller workstation and filter the security events for 4625. Do you see anything in process info of 4625 events on the client machine?