Account lockouts are a headache for system administrators, and they happen a lot in Active Directory (AD). Research shows that account lockouts are the biggest single source of calls to IT support desks.
The most common underlying cause for AD account lockouts, beyond users forgetting their password, is a running application or background service on a device that is authenticating with stale credentials. As users are required to use more devices, this problem is getting worse. For system administrators, solving it requires that they find the app that is running with stale credentials, and then either stopping it or asking the user to update the credentials.
Get the Free Pen Testing Active Directory Environments EBook
This problem is particularly acute in AD because the way in which account lockouts are handled in the system still reflects the average IT environment of ten years ago, in which most users only used one or two devices. In the days when most Office users logged in using one device, it was easy for them to keep track of their credentials. Now, that is not the case.
In this guide, we’ll explain in more detail how AD account lockouts occur, how to resolve them, and how to build a policy that reduces the time and resources you have to spend unlocking accounts.
Quick Review: The Most Common Reasons for AD Lockouts
Most AD account lockouts are caused by one of two underlying mechanisms. Either a user forgets their password, or they have updated their credentials on a new device and forgotten to update them on an older device.
In this first instance – a forgotten password – it is a simple matter for administrators to reset a users’ credentials, to remind them of the importance of choosing a strong password and not forgetting it, or even to use a password manager to reduce the number of passwords they need to remember. The second scenario – in which a device or service is attempting to authenticate with obsolete credentials – is a more difficult issue to solve, and is our focus in this article.
The basic mechanics of this kind of lockout are as follows. By default, AD will lock a user out after three failed login attempts. In the vast majority of cases, a user will have been asked to update their AD account credentials and will have done so on their most frequently used device. Any other devices they use may still have their old credentials saved, and will automatically continue to try to access AD using these. They will not be able to, and so AD will lock the account very quickly in order to prevent what looks like a brute force attack.
In most cases, system administrators will then be forced to identify the source of these illegitimate login attempts, and either shut them down or ask the user to update their credentials. In today’s environments, though, where users might be required to log in from dozens of different sources, finding the culprit can be very challenging, as can designing a lockout policy that will reduce the frequency of this kind of issue. In the remainder of this article, we’ll show you how to do both.
Common Active Directory Lockout Causes
Before we talk about solutions to account lockouts, it’s worth recognizing that there are many ways AD account lockouts can occur in addition to the two common reasons mentioned above.
Microsoft has an entire TechNet article on lockout troubleshooting, and their list includes:
- Service accounts
- Bad Password Threshold is set too low
- User logging on to multiple computers
- Stored user names and passwords retain redundant credentials
- Scheduled tasks
- Persistent drive mappings
- Active Directory replication
- Disconnected Terminal Server sessions
- Service accounts
Troubleshooting AD lockouts is easier if you have a strong understanding of AD fundamentals. We’ve written many guides to help you master AD. You should begin with our guide to the best AD tutorials on the web, make sure that you understand the difference between users and computers in AD, the way in which ad domain services work, and also the difference between AD and LDAP.
Once you have a good understanding of these topics, you will have an excellent understanding of the way in which account lockouts happen.
Troubleshooting An Account Lockout
Because there are so many potential causes of an AD account lockout, system administrators will often have to undertake some significant investigative work in order to address the issue., System administrators should set up a system to track the number of enabled lockout users throughout their AD Forest, so they can to troubleshoot AD lockouts before being overwhelmed with calls from users.
When you first identify a locked account,, the first and most important task is to identify whether lockout is due to a cyber attack.
To ensure you have enough information to investigate, you should take a few key steps:
- Verify that the domain controllers and client computers are up-to-date with service packs and hotfixes.
- Configure your computers to capture data:
- Enable auditing at the domain level.
- Enable Netlogon logging.
- Enable Kerberos logging.
- Analyze data from the security event log files and the Netlogon log files to help you determine where the lockouts are occurring and why.
- Analyze the event logs on the computer that is generating the account lockouts to determine the cause.
If, after looking through these logs, you see hundreds (or thousands) of failed login attempts, it’s likely that you are seeing a brute force attack on your systems, and you should take immediate action to respond. If, however, it appears that the lockout was caused by more mundane reasons, you will need to find how this has occurred.
Lockout Policy Considerations
If you are continually seeing multiple AD lockout instances, it is possible to remedy this – at least to some extent – by looking at your lockout policy.
In fact, many administrators will tell you that most, if not all, account lockouts can be remedied by having a more intelligent AD account lockout policy. This school of thought recommends that the admin go into the default GPO for the domain, and change the appropriate lockout parameters to a more reasonable setting.
The “account lockout threshold” setting should be shifted to a much higher number than three — perhaps 20 or 30 — so that you, or more to the point, a hacker really has to be hammering at the account to trigger a lockout. “account lockout duration”, the time to wait before the account is automatically unlocked, set to a more sensible ten minutes (instead of, say, 12 hours), and different from the default of zero, which is a permanent lockout. And finally, the tricky “reset account lockout policy after” default set to one minute. You can read more about this approach here.
After receiving wise counsel from a few Varonis SEs, though, I learned that changing the default Active Directory lockout parameters can help. But tread carefully here, there are assumptions about the overall strength of employee passwords that have to be first proved out. According to the SEs, if you have a robust password policy in place, then it might make sense to ramp up the “account lockout threshold”, otherwise this may not fly. There is also a good case to be made that this threshold parameter should always be zero, and users are forced to ultimately deal with support to unfreeze their accounts.
Ultimately, the approach you choose will depend on your environment, and how many lockout instances you are seeing on a daily basis. You should seek to apply a lockout policy that allows you to manage the number of account reset attempts you receive, whilst still being able to catch genuinely malicious attempts to access your network.
3 Active Directory Account Lockout Tools
AD account lockouts are such a common occurrence, and such a source of frustration for network administrators, that a few tools have been written specifically to help you deal with them. Some of these are provided by Microsoft, and others are third-party offerings. Here is a round-up of the best of them:
This is the standard set of tools that Microsoft provides for managing AD account lockouts, and consists of a set of individual components. Each will help you to investigate different aspects of your network.
This tool is great for smaller networks but can struggle with more extensive environments.
You can, of course, take the most direct approach to investigate the cause of AD account lockouts, and use PowerShell to interrogate your network. This might be a slightly longer and more complex process than using the tools above, but it will also give you more granular information on exactly what is happening in your systems.
A Final Word
If you are a network administrator, you don’t need us to tell you that AD account lockouts are a major headache. Given this, it’s tempting to simply view account lockouts as an inherent feature of AD, and automatically unlock user accounts as soon as you receive a support request.
This is a bad approach to handling account lockouts. By taking the time to investigate the true causes of frequent account lockouts, you can stop them from occurring so frequently. Equally, changing your AD account lockout policies can be an effective way of separating instances of user error from genuinely malicious attacks on your network.
Ultimately, how effectively you are able to prevent and manage AD account lockouts will depend on how well you understand AD itself. If you are frequently frustrated by an inability to trace the source of these issues, you can use the resources we’ve provided to improve your knowledge. Specifically, take a look at our guide to AD users and computers, and also our guide to how to use data classification labels can help you to further secure your network against cyberattacks.