Server 2012 : Troubleshooting – AD accounts are being locked out almost daily

Check the Logs for Audit Failure

Check the Security audit logs in event viewer.

Good Tool from Microsoft to help:

Account Lockout Tools from Microsoft (ALTools.exe)

Check the Logs for Audit Failure using PowerShell

You would set a TimeCreated member in the -FilterHashtable portion of the command and set a begin and end date.
Read Managing Date Ranges with PowerShell

get-winevent -FilterHashtable @{LogName="Security";KeywordsDisplayNames="{Audit Failure}"} | where-object {$_.message -match "<whatever you need here from the message portion(I suggest the user's Security ID)>"} | format-list


Steps to fix this issue: (in most cases)

  1. Check the security audit logs in event viewer, it can tell you exactly what’s trying to use an old/false password
  2. Reset the user’s password (especially if he recently changed it).
  3. Delete cached credentials from browsers and credential manager on local machine.
  4. Update credential password on mobile/on all devices (company/personal laptop, phone, etc.).

If all these fail and users access is urgent, you could try resetting the user’s local profile as a workaround and keep searching for the initial cause afterwards.


Quick and dirty is to disabled, and then enable the account, but that doesn’t fix the reason to the problem.





Posted in Server 2012, Troubleshooting, Troubleshooting

Leave a Reply