Identify AD Lockout Source

    In this domain, the password complexity rules are set to force a password change every 90 days.  When logging into the Domain Controller, I saw the notification and scheduled the password change with the client.  Upon changing the password, I was immediately locked out of the domain.  Needless to say, that was not how I envisioned the start of my day.  Fortunately, that is not the only privileged account.  Looking through my documentation for this client, the AD admin account should not be tied to ANY resources and yet it must be.  In order to determine the root cause, we look at the Event Viewer.  FYI, I'm fairly confident that Auditing must be enabled in Group Policy for these events to be recorded.  

    First, we launch Event Viewer, we select Security in the left column and we find the Failure in the right column:

    When we drill down, we see the failure:  "Account Lockout"

    Not that we didn't know this already.

    When we scroll down, we find the source:

    If it were a workstation or another server, we would see its name.  In this case, the source was non-Windows and the source was identified by IP address. 

    The account was removed and a service account was added.  Problem solved.  

    © 2020