Find Active Directory User Lockout Origin

Hello,

Find Active Directory User Lockout Origin can be pretty tricky. The first step is to find the Domain Controller on wich the lockout happens.

Finding the Domain Controller

Microsoft provides us a tool to do that :

https://www.microsoft.com/en-us/download/details.aspx?id=15201

LockoutStatus.exe is a tool that will tell you the name of the Domain Controller that locked our user.

Once you installed the tool, you will find it in “C:Program Files (x86)Windows Resource KitsToolslockoutstatus.exe”.

Find Active Directory User Lockout Origin-LockOutStatus

Find Active Directory User Lockout Origin-LockOutStatus

Click on “File” :

Find Active Directory User Lockout Origin-LockOutStatus

Find Active Directory User Lockout Origin-LockOutStatus

Click on “Select Target…” :

Find Active Directory User Lockout Origin-LockOutStatus

Find Active Directory User Lockout Origin-LockOutStatus

Type the name of our user :

Find Active Directory User Lockout Origin-LockOutStatus

Find Active Directory User Lockout Origin-LockOutStatus

Wait a few minutes, depending of the size your Active Directory domain :

Find Active Directory User Lockout Origin-LockOutStatus

Find Active Directory User Lockout Origin-LockOutStatus

Here you go, in the last column, you get the “Orig Lock” that contains the name of the Domain Controller that locked our user :

Find Active Directory User Lockout Origin-LockOutStatus

Find Active Directory User Lockout Origin-LockOutStatus

Find Active Directory User Lockout Origin

Once you have the Domain Controller name, you can query it to get the computer causing the lockout. For this part, Powershell will be out friend :

$DCName = 'DC1'
$User='IWantToBeLocked'
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740 and TimeCreated[timediff(@SystemTime) <= 7200000]] and EventData[Data[@Name='TargetUserName']='$User']]" -ComputerName $DCName | Select-Object TimeCreated,@{Label='User Name';Expression={$_.Properties[0].Value}},@{Label='Client Name';Expression={$_.Properties[1].Value}}

We are using the Get-WinEvent cmdlet combine with a precise xPath filter and targeting the Domain Controller that locked our user :

Find Active Directory User Lockout Origin - PowerShell

Find Active Directory User Lockout Origin – PowerShell

Note : You need to change the $DCName and $User to match your investigation.

And voilĂ , we have the computer name of the culprit ! Now, you can persue your investigations on the computer named “Client1”. You can look in mapped drives, printers, saved credentials, Outlook, Skype, scheduled tasks, etc…

Leave a Reply