Hey peps, on windows server 2012 r2 where I have an Admin active directory account, which gets locked every day at 10 pm, and then I’ve to unlock it, to be again locked at 10 pm next day. The schedule worked before as it should and this bug started to occur two weeks ago. I tried to manually change it back but it does not do what I command it. So, the case is every day at the same time my account gets locked. Why is this happening?
Thanks for your post.
We could enable some audit settings and query corresponding Event logs to troubleshoot the account lockout issue.
First, please make sure you have enabled all the audits at the domain level.
Audit account logon events
Audit logon events
Then enable below settings:
- Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\ Account Management
Configure: Audit User Account Management Success and Failure
- Computer Configuration\Windows Settings\Security Settings\Advanced Audit Configuration\ Logon/Logoff
Configure: Audit Account Lockout to audit Success and Failure
When an account is locked out, a 4740 event is logged in the Security log on the PDC of your domain. Every account lockout is recorded there in the security event log. The PDC emulator is a central place that can be queried for all account lockout events. Before looking for an event ID of 4740, we need to find the domain controller that holds the PDC emulator role. One way to do this is by using the Get-AdDomain cmdlet.
Then you could query the security event log for event ID 4740.
More articles for your reference:
Active Directory: Troubleshooting Frequent Account lockout
Account Lockout and Management Tools