when troubleshooting AD account lockout issues you can search thru DC security logs for audit failures and event ID 4771. the event details will include a result code which will specify exactly what the issue is.

the most common i’ve seen:
0x12 – client credentials have been revoked (disabled, expired, locked, etc)
0x17 – password has expired
0x18 – pre-authentication was invalid (bad password)

the details will also point out where the authentication failure occurred such as at a DC or Exchange CAS. unfortunately, they will not reveal the originating client device name or IP address. so far i’ve been unable to find a method to identify the client source.

update 1/28/2013:
i have found that if you are having a user account get locked out by access attempts to an Exchange CAS server then you can check the security logs of that CAS server. the logs will reveal the client source IP address. i’ve wondered how to do this for the longest time and it seems so obvious…

ben has also found a microsoft utility called lockoutstatus.exe which can be used to query an account that is locked out and determine the cause of the lockout. using the utility is much quicker than manually searching thru security logs. lockoutstatus is labeled as compatible with windows 2000 and 2003, but still apparently works with 2008.

many more result codes listed here:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

update 12/6/2013:
also check out http://resinblade.net/?p=992 for suggestions on enabling related audit policies.

Comments are closed.