Active Directory – Troubleshooting Account Lockout information

Troubleshooting Account Lockout (Technet)

Account Lockout and Management Tools

Account Lockout Status (LockoutStatus.exe)

SCOM Alerts & Audit Collection Services

You should be able to setup an event collection on the Security event log for that lockout and a few other events so that you get an alert.  Here a just a few events that you could alert on to help monitor that account. 
Event ID 531 : Account disabled
Event ID 532 : Account expired
Event ID 535 : Password expired
Event ID 539 : Logon Failure: Account locked out
Event ID 644 : User account Locked out

These article have a pretty good list of other security event id’s that you can alert on as well.

Comments (3)
  1. Vikram Acharya says:

    I liked your way of presentation. The information you provided is great, Thank you for this, and hope in future you will come with more knowledgeable information.


  2. Account Lockout Total Fix says:

    Check this and finish this problem

  3. Account Lockout investigation says:

    As an option take a look at Netwrix Account Lockout Examiner, it involves a lot less of legwork. It’s much more advanced version of ALTools from Microsoft and it’s also completely free. The product automatically checks event logs on DCs, shows source IP
    or computer name, connects to that computers, checks if there are any processes running under that accounts (services, scheduled tasks, RDP sessions etc) and shows them all.

Comments are closed.

Skip to main content