Share this question

Welcome to Teachnovice Q&A, where you can ask questions and receive answers from other members of the community.

This is a collaboratively edited question and answer site for computer enthusiasts and power users. It's 100% free, no registration required.

User Account lockout everyday windows 7 windows 2008 r2

1 like 0 dislike

We a user who's account keep locking out everyday.

I have enable the Netlogon logging on PDC and other Server's following this article

I have used to troubleshoot where the account is being lockout from.

When I run LockoutStatus.exe to see which DC locked the account it tells me PDC has lock the user account.

When I check PDC netlogon log it was tell me because of DC2 asked. When I check DC2 netlogon it tells me that RSA Server ask to lock this account.

When I check the netlogon on RSA Server its not tell me anything.

Is they anyway I can find out why the account is locking out.

I know what is causing this account to lock out but I can't figure it out how to find this device. As far I know its the Iphone or Ipad which is causing this account to lock out.

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 30/08/2012 07:23:29
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: PDC
A user account was locked out.

Security ID: SYSTEM
Account Name: PDC$
Account Domain:
Logon ID: 0x3e7

Account That Was Locked Out:
Account Name: DOMAIN

Additional Information:
Caller Computer Name:

Event Xml:

<Event xmlns="">
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328}" />
    <TimeCreated SystemTime="2012-08-30T06:23:29.116920400Z" />
    <Correlation />
    <Execution ProcessID="608" ThreadID="6100" />
    <Security />
    <Data Name="TargetUserName">USER</Data>
    <Data Name="TargetDomainName">
    <Data Name="TargetSid">S-1-5-21-284166382-85745802-1543857936-2058</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">PDC$</Data>
    <Data Name="SubjectDomainName">DOMAIN</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
asked Sep 3, 2012 by anonymous  
retagged Apr 22, 2013

10 Answers

1 like 0 dislike
Best answer

After activating netlogon logs on servers I found which server was the one which was locking the account. On that server I have activated Keberos logging as per Brian recommendation and running packet capture on server. It gave me Mac Address of the device which was locking this account. Then I found out which device is it which was Apple Inc. After I sent email to all of the user asking them for mac address of the Iphone and Ipad. One of the user came back saying this mac address belongs to my device. I check the device but still couldn't find any details of user on. I just reset full device.

Now its been a day and user account has not been locked out yet. I'm hoping this has fix the problem for me now.

answered Sep 4, 2012 by anonymous  
selected Sep 5, 2012 by sarwana
Its been more then two weeks still working fine. It has been fixed now.
0 like 0 dislike

I guess that is so far Windows can give you traces, contact RSA so see if there is any additional loging options in the RSA product - hopefully there is a mapping between devices and usernames (sAMAccountNames) so you can review the devices that the particular user uses.

answered Sep 3, 2012 by anonymous  
RSA server is only being used for WIFI auth its not being used for anything else.
I know when Apple device connect to Wifi using this user id but it can get access its being blocked by our system.
Is they any trace software I can run on RSA server to see which user is make request and from which IP address.
Do you mean RSA? Or RAS/RRAS as in Routing and Remote Access in Windows Server? if it's an RSA product again I suggest to look for a logging option in that product.
This server was used to be for RSA (VPN) but now its not being used for that its being used for Wifi auth
0 like 0 dislike

Netwrix has got a tool Account lockout examiner, you want to give a try.
Troubleshooting Account Lockouts the PSS way

answered Sep 3, 2012 by anonymous  
I have already tried Netwrix tool which was not a help at all.
I have followed but still I got to know where. I can't run a trace on user PC because I dont know which PC is locking the account.
0 like 0 dislike

Can you use tool like Netmon/Wireshark to monitor the traffic, it might provide you headway towards identification of the problem.

answered Sep 3, 2012 by anonymous  
I have run Microsoft Network monitor on a server which netlogon was tell be is locking the account. It is display a mac address which belogs to apple device and we can't find that device on our system.
I have search in all the possible place where this device mac might be but nothing.
Do you know any software I can run on server which can let me know this user is try to connect to this server and tells me the Ip address and currect user who using this device.
0 like 0 dislike

You have already got the source now & you need to work with security/network team to trace from where this MAC address info is being registered into the Netlogon.log file. It can be mobile/handheld devices which is used containing saved password. There is no such tool, but you already found the source, now just have to find the actual device.

answered Sep 3, 2012 by anonymous  
0 like 0 dislike

I have pass the information to network guys who told me that this mac address doesn't exist anywhere in our company.
I have that this will be apple device which is causing this. Is they anyway I can get the IP address or serial number for this device.
This is real painful now I have tried everything I can think of.

answered Sep 3, 2012 by anonymous  
0 like 0 dislike

If those devices are connected to public network, then you can't. If they received IP from your LAN like DHCP, then you have the MAC/IP address being registrerd into the DHCP/DNS, but the device ID is something AD doesn't keep track of.
If you feel running out of an option, then time to call Microsoft PSS (Paid support) to resolve the issue.

answered Sep 3, 2012 by anonymous  
0 like 0 dislike

I have been talking to them last few weeks and keep going in loops check security logs again and again. this account is being lockout for few months.
I have check DHCP?DNS to check this mac adddress with IP address but I couldn't find anything.
I througt some might have same problem in past and know how I can fix this.
If you know anything else I can try please do let me know.

answered Sep 3, 2012 by anonymous  
0 like 0 dislike

Through Lockout status you will find the dc where the account is getting locked.... go to that DC and open eventviewer open 4740 event.. and below you will find the ip add or machine name which is causing the account lockout.. and if it doesnt show the IP details...means your account is configured in some non-windows application...try to reomve the account from the application...

answered Sep 3, 2012 by anonymous  
I have check the event log on that DC for 4740 (windows 2008) it had no ip address or machine name.
I dont know which device might be using this user id. If I can figure out which device is using this user id then I can reset or delete this user info.
0 like 0 dislike
  1. Netlogon logging is not enough. Pleaes also enable Keberos logging.

  2. Event 4740 is just the Lockout event, it's also not enough for tracing Lockout source. Suppose the last authentication attempt was from PC A, while the previous bad attempts were from PC B, then it will be useless troubleshooting on PC A.
    So, according to your pwd policy, (for example 10 bad password lockout), check the previous authentication one by one, if they were from a same source, you could determine the source (suppose it's RSA), you could go on working on that one and check its security logs.
    Filtering the events using (529, 644, 675, 676, and 681), adding 4096 for 2008+

  3. The account name is User? what's the account used for? a service account? As it will be inconvenient to troubleshooting account lockout issue via forum, you could choose to open up a ticket to CTS AD team, it will be more efficient.

answered Sep 3, 2012 by anonymous  
The account name is User? this what i have change to hide user from public fourm.
what's the account used for? Its a standard AD account.
a service account? No