In this blog, we will see how to trace the source of a bad password and account lockout in Active Directory.
Step 1: Download Account Lockout Status tool from Microsoft from
You can download from here: https://www.microsoft.com/en-gb/download/details.aspx?id=15201
Step 2: Now Run LockoutStatus.exe
For this you need to run the .msi to extract the files and after that run the LockoutStatus.exe tool.
Else, Go to C:\Program Files\Windows Resource Kits\Tools\ and start lockoutstatus.exe
Step 3: Select Target
Here you have select target and type user name and then admin credentials and then click ok.
Step 4: See Result
The LockoutStatus tool will show the status of this account on each domain controller. Here you can easily see Bad Pwd Count and locked password on this DC.
Step 5: See the Security log
You need to navigate to Event Viewer -> Windows Logs -> Security and filter current log using Event ID 4740 for Windows 2016/2012 and Windows 2008 Server or 529 on Windows 2003 Server containing target user name.
For more information, please refer to the following link: