How to Troubleshoot Active Directory Account Lockouts by Enabling Audit Failure Logs on Domain Controllers


2 views

When troubleshooting Active Directory account lockouts, enabling proper auditing is crucial for identifying the source of failed authentication attempts. Many administrators face situations where they've configured Group Policy for auditing but still don't see failure events in the Security log.

Here's the proper procedure to enable failure auditing for account lockout scenarios:

# First verify current audit settings
auditpol /get /category:*

To properly configure through Group Policy:

  1. Open Group Policy Management Console (gpmc.msc)
  2. Edit the Default Domain Controllers Policy (not just Default Domain Policy)
  3. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
  4. Configure these specific policies:
    • Audit account logon events: Failure
    • Audit directory service access: Failure
    • Audit logon events: Failure
    • Audit account management: Success, Failure
  5. Run gpupdate /force on all domain controllers

After enabling auditing, you may need to adjust the Security log size (default 20MB is often insufficient):

# PowerShell to adjust event log size
Limit-EventLog -LogName Security -MaximumSize 100MB -ComputerName DC01

To query security events for lockouts:

# PowerShell to find account lockout events
Get-WinEvent -FilterHashtable @{
    LogName='Security'
    ID=4740
} -MaxEvents 10 | Format-List

If you're not seeing failure events despite configuration:

  • Verify policy application with gpresult /h report.html
  • Check for conflicting GPOs with rsop.msc
  • Ensure the DC's security log isn't full
  • Confirm the account isn't locked by a non-DC source (VPN, Exchange, etc.)

Here's a PowerShell script to monitor lockouts in real-time:

# Lockout monitoring script
$query = @"
<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4740)]]
    </Select>
  </Query>
</QueryList>
"@

Get-WinEvent -FilterXml ([xml]$query) -MaxEvents 10 | ForEach-Object {
    $event = $_
    $message = $event.Message
    $time = $event.TimeCreated
    Write-Host "[$time] Account lockout detected: $message"
}

When troubleshooting Active Directory account lockouts, enabling proper auditing is crucial. The problem occurs when failure events aren't being logged despite policy configuration. Let's examine the complete solution.

First, ensure proper Group Policy configuration on your Domain Controllers:

# PowerShell command to verify current audit settings
Get-GPO -Name "Default Domain Policy" | Get-GPOReport -ReportType HTML | Out-File "C:\temp\GPOReport.html"

For modern Windows Server versions, consider using Advanced Audit Policy instead:

# Configure via Group Policy Management Console:
1. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration
2. Configure:
   - Account Logon → Audit Credential Validation: Failure
   - Account Management → Audit Computer Account Management: Success and Failure
   - DS Access → Audit Directory Service Access: Failure
   - Logon/Logoff → Audit Logon: Failure

For detailed tracking, set System Access Control List (SACL) on user objects:

# PowerShell to enable auditing on a user object
$user = Get-ADUser -Identity "problemuser" -Properties nTSecurityDescriptor
$sd = $user.nTSecurityDescriptor
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule(
    "Everyone",
    "ExtendedRight",
    "Deny",
    "00000000-0000-0000-0000-000000000000",
    "None",
    "None"
)
$sd.AddAccessRule($rule)
Set-ADUser -Identity "problemuser" -Replace @{nTSecurityDescriptor=$sd}

After making changes, verify settings with these commands:

# Check effective audit policy
auditpol /get /category:*

# Check specific subcategories
auditpol /get /subcategory:"Logon"

# Force policy update
gpupdate /force

If events still don't appear, check these aspects:

# Check if auditing is enabled at OS level
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v auditbaseobjects

# Check event log retention settings
wevtutil gl Security

When events start appearing, look for these key Event IDs:

4625 - Failed logon attempt
4771 - Kerberos pre-authentication failed
4740 - Account locked out

Use this PowerShell snippet to parse lockout events:

Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4740]]" | 
    Select-Object TimeCreated, 
        @{Name='User';Expression={$_.Properties[0].Value}},
        @{Name='SourceComputer';Expression={$_.Properties[1].Value}}

Consider using these tools for deeper analysis:

# Microsoft's Account Lockout Status tool
LockoutStatus.exe

# Netwrix Account Lockout Examiner
# Free tool from https://www.netwrix.com/account_lockout_examiner_freeware.html

Remember to test changes in a non-production environment first and document all modifications.