Determine which domain controller accounts are locked in Active Directory
This tip was submitted to the SearchWin2000.com tip exchange by member Brian Anderson. Please let other users know how useful it is by rating it below.
We have over 50 domain controllers in our Active Directory domain. Occasionally, we get calls from users reporting account lockouts that are happening several times a day. This problem occurs 99% of the time after a user has logged onto a computer, changed his password, and then forgotten to log off.
To find the computer that's causing the lockouts, we use Microsoft's free utility,
. This tool allows you to select a target account and determine which DC the account is being locked from. Once the lockout DC is found, the last bad password time will also be displayed. Within AL, right click on the DC open the security event log, and scroll to the time of the last bad password. This is much easier than using Event Comber on 50 domain controllers.
This was first published in January 2004
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.