If you are a System Administrator, you already know the frustration: A user complains their account is locked. You unlock it in Active Directory, and five minutes later, they call back saying itβs locked again.
Constant AD account lockouts are a nightmare. Most of the time, this happens because the user recently changed their password, but an old device or service is still trying to authenticate using the old, cached credentials.
Instead of manually digging through thousands of event logs, here is the fastest way to find the exact source device causing the lockout using a simple PowerShell script.
The Culprit: Event ID 4740
When an account is locked out, the Domain Controller logs an event in the Security Event Log. The magic number you are looking for is Event ID 4740 (“A user account was locked out”).
While you can open Event Viewer and filter for this ID manually, it is time-consuming, especially if you have multiple Domain Controllers. Lockout events are always processed by the Primary Domain Controller (PDC) Emulator, so that is where we need to look.
The Fast Solution: PowerShell Lockout Tracer
Here is a quick PowerShell script that automatically finds your PDC and searches its security logs for Event 4740 related to your specific user.
(Copy and run this in your PowerShell as Administrator)
<#
.SYNOPSIS
Finds the source computer locking out a specific Active Directory user.
#>
# Replace with the username that keeps getting locked out
$Username = "ENTER_USERNAME_HERE"
# Automatically locate the Primary Domain Controller (PDC)
$PDC = (Get-ADDomainController -Discover -Service PrimaryDC).Name
Write-Host "Searching Security Logs on $PDC for locked out user: $Username..." -ForegroundColor Cyan
# Fetch Event ID 4740 (Account Lockout) and extract the source computer
Get-WinEvent -ComputerName $PDC -FilterHashtable @{LogName='Security'; Id=4740} |
Where-Object {$_.Properties[0].Value -match $Username} |
Select-Object TimeCreated,
@{Name='Target User';Expression={$_.Properties[0].Value}},
@{Name='Caller Computer (Source)';Expression={$_.Properties[1].Value}} |
Format-Table -AutoSizeHow to Use the Script:
- Open PowerShell on your Domain Controller or a machine with RSAT (Remote Server Administration Tools) installed. Make sure to run it as Administrator.
- Replace
ENTER_USERNAME_HEREwith the actual SamAccountName of the user (e.g.,kaveesha.p). - Press Enter. The script will output the exact date, time, and the Caller Computer (Source) that is triggering the bad password attempts.
How to Fix the Lockout Loop
Once the script reveals the source computer name or IP address, you can finally stop the loop. Check the source device for the following common culprits:
- Credential Manager: Open Windows Credential Manager on the source PC and clear out any saved network passwords.
- Mobile Devices: If the source is a mobile phone (often seen via Exchange ActiveSync), tell the user to update the password in their Mail app or Wi-Fi settings.
- Stale RDP Sessions: The user might have a disconnected Remote Desktop session running on a server that is still trying to use the old token. Log them off completely.
- Mapped Network Drives: Disconnect and reconnect any network drives using the new credentials.
- Windows Services: Check if the user’s account is being used to run a specific Windows Service or Scheduled Task on that machine.
By finding the exact source machine, you save hours of guessing and instantly solve the user’s problem.
π₯ Bonus Tip for SysAdmins: Tired of memorizing long commands? Check out our completely free, privacy-friendly Free SysAdmin Command Generator to generate complex Windows and Linux one-liners instantly right from your browser!