1. Enable Account Lockout Audit Policy in Active Directory

The lockout policy lets you configure the account lockout threshold (the number of bad password attempts that cause a lockout), account lockout duration (how long the account stays locked before auto‑unlock; 0 means only an admin can unlock), and reset account lockout counter after (time period after which failed attempts are cleared if no new failures occur).

Run the following PowerShell to see the lockout/password policy applied to a specific account. If it returns nothing, the account uses the domain’s default policy.

Get-ADUserResultantPasswordPolicy -Identity <UserName>

List default domain lockout settings

Use this to display the default domain policy’s lockout values:

Get-ADDefaultDomainPasswordPolicy | Select-Object lockout | Format-Table

Now, follow the steps mentioned below to make the changes.

• Open Group Policy Management.
• Now, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy
• Finally, configure these policies – Account lockout duration, Account lockout threshold, and Reset account lockout counter after.

Typically, an account is locked after five incorrect attempts and automatically unlocks after 30 minutes. If the lockout duration is set to 0, the account will not auto‑unlock and requires an administrator to clear the lock. Adjust these values thoughtfully to strike a balance between security and usability. 

You can run the following command in PowerShell as an administrator to unlock the account.

To unlock a specific account

Unlock-ADAccount jjackson –Confirm

To unlock all locked accounts

Search-ADAccount –LockedOut -UsersOnly | Unlock-ADAccount

However, if the account is getting locked frequently and it is not due to one of the policies, continue reading to determine the culprit.

2. Identify the Lockout Source Using the PDC Emulator and Event Viewer

The PDC Emulator role holder is the authoritative source for account lockout events. You can search for specific events in the Event Viewer to determine the cause of this issue. First, find your PDC Emulator using the following PowerShell command, and ensure you run it as an administrator.

(Get-ADDomain).PDCEmulator

Log on to that specific server and open Event Viewer. Now, filter the Security Log and look for Event ID 4740, A user account was locked out. In the event details, the “Caller Computer Name” field will tell you the exact machine from which the lockout originated. This is your primary suspect.

Once you identify the source computer from the Event Viewer logs, immediately investigate that machine for outdated cached credentials. Check and clear Credential Manager, disconnect mapped network drives, log off any disconnected RDP sessions, and update passwords for any services or scheduled tasks running under the user’s account. Finally, ensure the user’s Outlook and mobile email clients are updated with their new password, as these are common culprits for repeated authentication attempts.

3. Trace Failed Pre-Authentication Attempts

If Event ID 4740 does not show a Caller Computer Name, the lockout was likely caused by a Kerberos authentication failure. On the PDC Emulator, filter the Security log for Event ID 4771 (“Kerberos pre-authentication failed”). Find events with Failure Code “0x18” (which means “bad password” or “account locked out”). The Client Address field in these events will show the IP address of the source machine. Resolve this IP to a computer name to find your culprit using the command mentioned below.

nslookup <IP_Address>

Then, you can perform the solution mentioned earlier to resolve the issue.

4. Audit and Update Stored Credentials on the Source Machine

Once you identify the source computer, the problem is almost always outdated cached credentials on that device. On the offending machine, follow the steps outlined below.

• First of all, open the Credentials Manager by searching for it in the Start Menu.
• Go to the Windows Credentials section.
• Look for any generic or domain credentials related to the locked-out user.
• Now, click on Remove.

Have the user disconnect all mapped network drives and then remap them, ensuring they enter their current password.