How to Troubleshoot Account Lockout in Active Directory

Here are the steps to troubleshoot  account lockout issue in the Active Directory using Microsoft Account Lockout and Management Tools.

Microsoft Account Lockout and Management Tools:

Microsoft “Account Lockout and Management Tools” are included with AlTools.exe that assist you in managing accounts and in troubleshooting account lockouts.

Also, you can enable auditing at the domain level for the security events to effectively troubleshoot account lockout.

LockoutStatus Tool:

Account Lockout Status i.e. LockoutStatus.exe which displays lockout information about a particular user account State and Lockout Time on each Domain Controller.

Run the LockoutStatus.exe > File menu > Select target > Define Target User Name and Target Domain Name > OK

EventCombMT Tool:

You can use EventCombMT tool to search the event logs of several different computers for specific events, all from one central location.

Note: The EventCombMT utility is included in the Account Lockout and Management Tools download (ALTools.exe).

To search the event logs for account lockouts -> Start EventCombMT ->Right Click on Select to search field > Choose Get DCs in Domain > Mark your Domain Controllers for search

After that on the Searches menu, point to Built In Searches, and then click Account Lockouts.

Note: for Windows Server 2008 and above replace Event ID field values with 4740

Then click Search and wait for the process to complete the operation.

Possible Root Causes for Account Lockouts:

Persistent drive mappings
Mobile devices using domain services like Exchange mailbox
Service Accounts using cached passwords
Scheduled tasks
Programs using stored credentials
Misconfigured domain policy settings issues
Disconnected Terminal Server sessions
Active Directory delayed replication

View Saved Credentials on a Given System:

From a (run as admin) command prompt run:    psexec -i -s -d cmd.exe

From the new DOS window run:  rundll32 keymgr.dll, KRShowKeyMgr > Ok

Remove any items that appear in the list of Stored User Names and Passwords.

Restart the computer.

One can also use Netplwiz (Windows Server 2008 or above):
Start > Run > type in: netplwiz > OK
Click Advanced tab and then click Manage Passwords.

Enable and Disable Netlogon Logging:

To Enable:

Start > Run > type in:
nltest /dbflag:2080ffff > OK
After you restart Net Logon service, related activity may be logged to %windir%/debug/netlogon.log

To Disable:

Start > Run > type in:
nltest /dbflag:0 > OK

For more also you need to know Common Causes for Account Lockouts – Resolution and Troubleshooting Steps.

Additionally, how to track the Source of Failed Logon Attempts in Active Directory.