If you work a helpdesk, you already know this one. Account lockouts are the most common call you'll get. Users forget passwords, cached credentials go stale, a phone somewhere keeps retrying an old password in the background — and suddenly the account's locked across the whole domain.
In 2026, with hybrid environments blending on-premises Active Directory and Microsoft Entra ID, tracking down where a lockout actually came from has gotten even trickier. I've spent more hours than I'd like to admit digging through event logs on domain controllers trying to find the one rogue device causing the problem.
This guide walks you through a practical, start-to-finish workflow for diagnosing and resolving AD account lockouts. We'll cover event log analysis, PowerShell automation, fine-grained lockout policies, and Microsoft Entra Smart Lockout for hybrid setups.
How Active Directory Account Lockout Works
Active Directory locks an account when the number of failed sign-in attempts exceeds the Account Lockout Threshold set in Group Policy. Once locked, the account can't authenticate — even with the correct password — until either the Account Lockout Duration timer expires or an admin manually unlocks it.
The three settings that control lockout behavior live in Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy:
- Account lockout threshold — Number of failed attempts before lockout (recommended: 5–10)
- Account lockout duration — Minutes the account stays locked (0 = manual unlock only)
- Reset account lockout counter after — Minutes before the failed-attempt counter resets
These settings apply domain-wide through the Default Domain Policy. If you need more granular control — like stricter policies for admin accounts — you'll want Fine-Grained Password Policies, which we'll get to later.
The Four Event IDs You Need to Know
Every lockout investigation starts with Windows Security event logs. Honestly, once you memorize these four event IDs, you'll handle 90% of lockout cases faster than most senior sysadmins.
| Event ID | Where It Logs | What It Tells You |
|---|---|---|
| 4740 | Domain controller (PDC Emulator) | Account was locked out — includes the Caller Computer Name |
| 4625 | Workstation or server where logon failed | Failed logon attempt — includes Caller Process Name and failure reason |
| 4771 | Domain controller | Kerberos pre-authentication failure — includes client IP address |
| 4776 | Domain controller | NTLM credential validation failure — useful when Kerberos isn't used |
Event 4740 is your starting point. It tells you which account got locked and which computer triggered it. Then Event 4625 on the source computer tells you which process or application actually caused those failed logons.
Step-by-Step: Finding the Lockout Source
Step 1: Enable Audit Logging
Before you can trace lockouts, you need to make sure auditing is configured. Open Group Policy Management Console (gpmc.msc) and edit the Default Domain Controllers Policy.
Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management, then enable Audit User Account Management for both Success and Failure.
Also enable Audit Logon Events under Logon/Logoff to capture Event 4625 on member servers and workstations. Skip this step and you'll be staring at empty logs wondering what went wrong (ask me how I know).
Step 2: Identify the PDC Emulator
Event 4740 gets processed by the domain controller holding the PDC Emulator FSMO role. So instead of searching every DC in the environment, start there:
Get-ADDomainController -Discover -Service PrimaryDC | Select-Object Name, IPv4AddressThis returns the hostname and IP of your PDC Emulator — the single best place to start looking for lockout events.
Step 3: Query Event 4740 on the PDC Emulator
Now run this PowerShell command to pull up recent lockout events:
# Find all lockout events in the last 24 hours
$PDC = (Get-ADDomainController -Discover -Service PrimaryDC).HostName
$Start = (Get-Date).AddDays(-1)
Get-WinEvent -ComputerName $PDC -FilterHashtable @{
LogName = 'Security'
Id = 4740
StartTime = $Start
} | Select-Object TimeCreated,
@{N='LockedUser'; E={$_.Properties[0].Value}},
@{N='SourceComputer';E={$_.Properties[1].Value}} |
Format-Table -AutoSizeThe output shows you the locked username and the Caller Computer Name — that's the machine sending the bad authentication attempts.
Step 4: Investigate the Source Computer
Once you've got the source computer from Step 3, query that machine for Event 4625 to find the specific process responsible:
# Replace SOURCEPC with the Caller Computer Name from Event 4740
$SourcePC = 'SOURCEPC'
$Username = 'jsmith'
Get-WinEvent -ComputerName $SourcePC -FilterHashtable @{
LogName = 'Security'
Id = 4625
StartTime = (Get-Date).AddHours(-4)
} | Where-Object { $_.Properties[5].Value -eq $Username } |
Select-Object TimeCreated,
@{N='TargetUser'; E={$_.Properties[5].Value}},
@{N='LogonType'; E={$_.Properties[10].Value}},
@{N='CallerProcess'; E={$_.Properties[18].Value}},
@{N='SourceIP'; E={$_.Properties[19].Value}} |
Format-Table -AutoSizeThe CallerProcess field is what you're after — it reveals the application causing the lockout. Common culprits include Outlook (OUTLOOK.EXE), mapped drive connections (svchost.exe), or scheduled tasks (taskeng.exe).
Step 5: Resolve the Root Cause
Based on what you find in CallerProcess and LogonType, here are the usual suspects and their fixes:
- Mapped network drives — Open Credential Manager (
control keymgr.dll) on the source PC and remove stale entries - Outlook / Exchange — Remove and re-add the email profile, or update the cached password in Credential Manager
- Scheduled tasks with old passwords — Open Task Scheduler, find tasks running under the affected account, and update the password
- Windows services — Open
services.msc, find services using the account, and update the logon credentials - RDP sessions — Disconnect stale Remote Desktop sessions:
qwinsta /server:SERVERNAME - Mobile devices — Have the user update their email password on phones and tablets (this one catches people off guard surprisingly often)
PowerShell Script: Full Lockout Investigation Across All DCs
In larger environments, lockout events can show up on any domain controller — not just the PDC Emulator. This script queries every DC and gives you a consolidated report:
# Full lockout investigation script
# Run from a domain-joined workstation with RSAT installed
param(
[string]$Username,
[int]$HoursBack = 24
)
$Start = (Get-Date).AddHours(-$HoursBack)
$DCs = Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName
Write-Host "Searching $($DCs.Count) domain controllers for lockout events..." -ForegroundColor Cyan
$Results = foreach ($DC in $DCs) {
try {
$Events = Get-WinEvent -ComputerName $DC -FilterHashtable @{
LogName = 'Security'
Id = 4740
StartTime = $Start
} -ErrorAction SilentlyContinue
foreach ($Event in $Events) {
$LockedUser = $Event.Properties[0].Value
$SourcePC = $Event.Properties[1].Value
# Filter by username if specified
if ($Username -and $LockedUser -ne $Username) { continue }
[PSCustomObject]@{
Time = $Event.TimeCreated
DomainController = $DC
LockedUser = $LockedUser
SourceComputer = $SourcePC
}
}
} catch {
Write-Warning "Could not reach $DC - $_"
}
}
if ($Results) {
$Results | Sort-Object Time -Descending | Format-Table -AutoSize
Write-Host "`nTotal lockout events found: $($Results.Count)" -ForegroundColor Yellow
} else {
Write-Host "No lockout events found in the last $HoursBack hours." -ForegroundColor Green
}Save this as Find-LockoutSource.ps1 and run it:
# Find all lockouts in the last 24 hours
.\Find-LockoutSource.ps1
# Find lockouts for a specific user in the last 48 hours
.\Find-LockoutSource.ps1 -Username "jsmith" -HoursBack 48Unlocking Accounts: GUI and PowerShell Methods
Once you've identified and fixed the root cause, it's time to actually unlock the account. You've got a few options here.
Method 1: Active Directory Users and Computers (ADUC)
- Open dsa.msc
- Find the locked user account
- Right-click > Properties > Account tab
- Check "Unlock account" and click OK
Simple enough, but slow if you're handling multiple lockouts.
Method 2: PowerShell (Way Faster for Helpdesk)
# Unlock a single user
Unlock-ADAccount -Identity jsmith
# Check if an account is currently locked
Get-ADUser jsmith -Properties LockedOut, AccountLockoutTime |
Select-Object Name, LockedOut, AccountLockoutTime
# Find and unlock ALL currently locked accounts
Search-ADAccount -LockedOut | Unlock-ADAccount -PassThru |
Select-Object Name, SamAccountNameThat last command is a real time-saver on Monday mornings when half the office forgot their passwords over the weekend.
Method 3: Microsoft Account Lockout Status Tool (LockoutStatus.exe)
Microsoft's free Account Lockout and Management Tools (ALTools.exe) includes LockoutStatus.exe, which displays the lockout state of an account across all domain controllers at once. It's especially handy for spotting replication delays — where an account shows locked on some DCs but unlocked on others.
Fine-Grained Password Policies for Different Account Types
The Default Domain Policy applies the same lockout settings to everyone. But that doesn't always make sense — service accounts that authenticate programmatically might need a higher threshold, while admin accounts probably need a stricter one. Fine-Grained Password Policies (FGPPs) solve this by letting you apply different settings through Password Settings Objects (PSOs).
Requirements
- Domain functional level: Windows Server 2012 or higher
- Membership in the Domain Admins group
- PSOs can only target global security groups or individual user objects — not OUs (a detail that trips up a lot of people)
Create a Strict Policy for Admins via PowerShell
# Create a strict lockout policy for administrator accounts
New-ADFineGrainedPasswordPolicy -Name "Admin-Strict-Lockout" `
-DisplayName "Admin Strict Lockout Policy" `
-Precedence 10 `
-LockoutThreshold 3 `
-LockoutDuration "00:30:00" `
-LockoutObservationWindow "00:30:00" `
-ComplexityEnabled $true `
-MinPasswordLength 14 `
-PasswordHistoryCount 24 `
-MinPasswordAge "1.00:00:00" `
-MaxPasswordAge "60.00:00:00" `
-ReversibleEncryptionEnabled $false
# Apply the policy to the Domain Admins group
Add-ADFineGrainedPasswordPolicySubject -Identity "Admin-Strict-Lockout" `
-Subjects "Domain Admins"
# Verify which policy applies to a specific user
Get-ADUserResultantPasswordPolicy -Identity adminuserCreate a Relaxed Policy for Service Accounts
# Service accounts may need a higher threshold to avoid
# false lockouts from automated processes
New-ADFineGrainedPasswordPolicy -Name "ServiceAcct-Lockout" `
-DisplayName "Service Account Lockout Policy" `
-Precedence 20 `
-LockoutThreshold 15 `
-LockoutDuration "00:15:00" `
-LockoutObservationWindow "00:15:00" `
-ComplexityEnabled $true `
-MinPasswordLength 20 `
-PasswordHistoryCount 24 `
-MinPasswordAge "0.00:00:00" `
-MaxPasswordAge "0.00:00:00" `
-ReversibleEncryptionEnabled $false
Add-ADFineGrainedPasswordPolicySubject -Identity "ServiceAcct-Lockout" `
-Subjects "Service Accounts"Precedence matters: Lower numbers take priority. If a user belongs to groups with multiple PSOs, the one with the lowest precedence number wins.
Microsoft Entra Smart Lockout for Hybrid Environments
If your organization uses Microsoft Entra ID (formerly Azure AD) alongside on-premises Active Directory, you'll want to understand how Smart Lockout works — and more importantly, how it interacts with your AD lockout policy.
How Smart Lockout Differs from AD Lockout
| Feature | AD DS Account Lockout | Entra Smart Lockout |
|---|---|---|
| Type | On-premises, rule-based | Cloud-based, intelligent |
| Always active | Must be configured via GPO | On by default for all Entra tenants |
| Default threshold | Manual configuration | 10 failed attempts |
| Duration unit | Minutes | Seconds (default: 60) |
| Intelligence | Failed attempt count only | IP, location, password patterns |
| Escalating lockout | Static duration | Duration increases on repeat lockouts |
| Bad password tracking | No | Tracks last 3 bad hashes to avoid duplicate counting |
Critical Alignment Rules for Pass-Through Authentication
When using pass-through authentication (PTA), both Entra Smart Lockout and AD lockout policies apply. To prevent on-premises lockouts caused by cloud attacks, follow these rules:
- Set the Entra lockout threshold lower than the AD threshold (e.g., Entra = 5, AD = 15)
- Set the Entra lockout duration longer than the AD duration (e.g., Entra = 120 seconds, AD = 1 minute)
- This way, Entra blocks attackers before their attempts ever reach your on-premises AD
Configure Smart Lockout in the Entra Admin Center
- Sign in to entra.microsoft.com as a Global Administrator or Authentication Policy Administrator
- Navigate to Protection > Authentication methods > Password protection
- Under Smart lockout, configure the lockout threshold and duration
- If using password hash sync with on-premises AD, also enable Custom smart lockout to customize the values (requires Entra ID P1 or higher)
Reducing Lockout Calls with Self-Service Password Reset
Password resets and account lockouts — they're the top two helpdesk call drivers, and honestly, a huge chunk of them are preventable. Microsoft Entra Self-Service Password Reset (SSPR) lets users reset their own passwords without calling IT, which can dramatically cut your ticket volume.
Quick Setup Checklist
- License requirement: Microsoft Entra ID P1 or higher
- Enable SSPR: Entra admin center > Password reset > Properties > set to All (or Selected for a pilot group)
- Authentication methods: Require at least 2 methods (e.g., Microsoft Authenticator + mobile phone)
- Registration: Enable registration enforcement — users get prompted to register on their next sign-in
- Password writeback: For hybrid environments, enable writeback in Microsoft Entra Connect so cloud resets propagate to on-premises AD
- Windows sign-in integration: Deploy via Intune to add a "Reset password" link right on the Windows lock screen
Key URLs for End Users
- Registration:
https://aka.ms/ssprsetup - Password reset:
https://aka.ms/sspr
Here's the nice part: when a locked-out user goes through SSPR and chooses "I forgot my password," the lockout counter resets to zero. They're immediately unblocked — no helpdesk call needed.
Common Lockout Causes and How to Prevent Them
| Cause | How to Identify | Prevention |
|---|---|---|
| Stale Credential Manager entries | Event 4625 shows the source PC; Credential Manager has old entries | Clear saved credentials after every password change |
| Scheduled tasks with old passwords | CallerProcess = taskeng.exe or schtasks.exe | Use Group Managed Service Accounts (gMSA) |
| Windows services | CallerProcess = services.exe | Use gMSA — passwords rotate automatically |
| Mobile devices (Exchange ActiveSync) | Event 4625 source IP is the Exchange server | Enroll in SSPR; push password change notifications |
| Disconnected RDP sessions | CallerProcess = winlogon.exe on terminal server | Set session time limits via GPO |
| AD replication delays | Account locked on some DCs, unlocked on others | Monitor replication health with repadmin /replsummary |
| Brute force attacks | Caller Computer Name is empty; high volume of Event 4771 | Enable Smart Lockout; deploy Entra ID Protection |
Helpdesk Playbook: Account Lockout Triage Workflow
Here's the step-by-step workflow I'd recommend when a user calls in about a lockout. Pin this somewhere visible — it'll save you time on every call.
- Verify the user's identity — Confirm via a secondary method (employee ID, manager callback, security questions). Never reset a password based solely on a phone call.
- Check lockout status — Run
Get-ADUser username -Properties LockedOut - Find the source — Query Event 4740 on the PDC Emulator for the Caller Computer Name
- Investigate the source — Check Event 4625 on the source computer for the CallerProcess
- Resolve the root cause — Update credentials in the offending application, service, or device
- Unlock the account — Run
Unlock-ADAccount -Identity username - Confirm with the user — Have them test signing in while you're still on the call
- Document the resolution — Log the root cause in your ticketing system so you can spot patterns later
Monitoring and Alerting for Proactive Lockout Prevention
Rather than waiting for users to call, set up proactive monitoring. Trust me, your team will thank you.
PowerShell: Scheduled Report of All Locked Accounts
# Run as a scheduled task every 15 minutes
$LockedAccounts = Search-ADAccount -LockedOut |
Get-ADUser -Properties DisplayName, EmailAddress, LockedOut, AccountLockoutTime |
Select-Object DisplayName, SamAccountName, EmailAddress, AccountLockoutTime
if ($LockedAccounts) {
$Body = $LockedAccounts | ConvertTo-Html -Fragment
Send-MailMessage -From "[email protected]" `
-To "[email protected]" `
-Subject "AD Alert: $($LockedAccounts.Count) Locked Account(s)" `
-Body $Body `
-BodyAsHtml `
-SmtpServer "smtp.company.com"
}Event-Driven Alerting with Task Scheduler
You can also attach a task directly to Event 4740 in Windows Event Viewer on the PDC Emulator. When the event fires, it triggers a script that sends an alert to your helpdesk team via email, Teams webhook, or your ticketing system's API. Real-time lockout notifications, no third-party tools required.
Frequently Asked Questions
How do I find which computer is locking out an Active Directory account?
Check Event ID 4740 in the Security log of the domain controller holding the PDC Emulator FSMO role. The Caller Computer Name field tells you which machine sent the failed authentication. Use Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4740} on the PDC Emulator to query this programmatically.
What is the difference between Event 4740 and Event 4625?
Event 4740 gets logged on the domain controller when an account is actually locked out — it tells you which computer caused the lockout. Event 4625 gets logged on the computer where the failed logon attempt happened — it tells you which process was responsible. You need both: 4740 to find the source machine, then 4625 on that machine to find the offending application.
How do I stop an account from getting locked out repeatedly?
First, identify the root cause using the investigation workflow above (Event 4740, then Event 4625). The most common culprits are stale credentials in Credential Manager, scheduled tasks running under the account, and mobile devices retrying old passwords. For service accounts, switch to Group Managed Service Accounts (gMSA) — they rotate passwords automatically. For user accounts, deploy Self-Service Password Reset and make sure users update credentials on all their devices after a password change.
Can I set different lockout policies for admins and regular users?
Yes, absolutely. Use Fine-Grained Password Policies (FGPPs) to create separate Password Settings Objects (PSOs) for different groups. For example, you could set a 3-attempt threshold for admin accounts and a 10-attempt threshold for regular users. FGPPs require Windows Server 2012 domain functional level or higher and can be created via ADAC or the New-ADFineGrainedPasswordPolicy PowerShell cmdlet.
Does Microsoft Entra Smart Lockout protect on-premises Active Directory?
It depends on your authentication method. With password hash sync, Smart Lockout protects cloud sign-ins but doesn't directly affect on-premises AD. With pass-through authentication, Smart Lockout filters attacks before they reach on-premises, effectively shielding your AD — but only if you set the Entra threshold lower than the AD threshold and the Entra duration longer than the AD duration.