Troubleshooting account lockouts in Active Directory

In this video, I'll talk about how you can troubleshoot account lockout issues in Active Directory and find the source of account lockouts such as computers, programs or other types of devices. I'll show you how can use Security Logs in Event Viewer to view the lockout events, enable additional audit policies on default domain controller policy, debug using Netloggin logging, Powershell Script Account Lockout Status (GUI tool) to find the source of account lockouts. Table of Contents: https://www.seevid.ir/fa/w/d09p5T4O-GI - Intro https://www.seevid.ir/fa/w/d09p5T4O-GI - Understanding Account Lockout Policy in AD https://www.seevid.ir/fa/w/d09p5T4O-GI - How to check if user accounts are locked in AD? https://www.seevid.ir/fa/w/d09p5T4O-GI - Unlock User Accounts in AD https://www.seevid.ir/fa/w/d09p5T4O-GI - Troubleshooting account lockout events using Event Viewer https://www.seevid.ir/fa/w/d09p5T4O-GI - Extend the size of security log in Event Viewer https://www.seevid.ir/fa/w/d09p5T4O-GI - Find unknown computer/device in Security Events (Event ID 4770) https://www.seevid.ir/fa/w/d09p5T4O-GI - Event ID 4625 | NTLM Authentiction https://www.seevid.ir/fa/w/d09p5T4O-GI - Using NetLogon debugging https://www.seevid.ir/fa/w/d09p5T4O-GI - Using PowserShell Script on PDC Emulator to find the source of account lockouts https://www.seevid.ir/fa/w/d09p5T4O-GI - Using PowerShell script on all domain controller to find the source of account lockouts https://www.seevid.ir/fa/w/d09p5T4O-GI - Using Account Lockout Status to find the source of account lockouts https://www.seevid.ir/fa/w/d09p5T4O-GI - Troubleshoot using Process Tracking to find the process locking the user accounts. The below PS script finds the events with an Event ID 4740 and returns the lockout time and the name of the computer from which it occurred: $Usr = ‘Michael.Greene’ $Pdc = (Get-AdDomain).PDCEmulator $ParamsEvn = @{ ‘Computername’ = $Pdc ‘LogName’ = ‘Security’ ‘FilterXPath’ = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Usr']]" } $Evnts = Get-WinEvent @ParamsEvn $Evnts | foreach {$_.Properties[1].value + ' ' + $_.TimeCreated} If you want to search all domain controllers, then you can use the below script in PowerShell. $Usr = ‘username1’ Get-ADDomainController -fi * | select -exp hostname | % { $ParamsEvn = @{ ‘Computername’ = $Pdc ‘LogName’ = ‘Security’ ‘FilterXPath’ = "*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Usr']]" } $Evnts = Get-WinEvent @ParamsEvn $Evnts | foreach {$_.Computer + " " +$_.Properties[1].value + ' ' + $_.TimeCreated} } Download Account Lockout Status - https://www.microsoft.com/en-in/download/details.aspx?id=15201

• #howto_style
• #troubleshooting_account_lockouts_in_active_directory
• #account_lockouts
• #account_lockout_policy
• #active_directory
• #learn_active_directory
• #how_to_unlock_ad_user_accounts
• #event_viewer
• #security_logs
• #even_id_4770
• #event_id_4771
• #event_id_4625
• #event_id_4740
• #event_id_4741
• #extend_the_size_of_security_logs
• #calling_computer_name
• #authentication_package
• #ntlm
• #kerberson
• #audit_policies
• #powershell
• #script
• #netlogon_debug
• #account_lockout_status
• #process_tracking
• #account_lockout