Will said:
User report their user account always locked. But I cannot found any bad
password & account locked event in the domain controller secuirty event
log, even I enable audit log in domain policy.
How to check bad password login in Windows 2003 domain controller?
Thanks
The information is not replicated between DC's, so you need to look on the
DC (or DC's) that authenticated the user. I think there is tool to retrieve
information about locked out accounts, but I cannot find information on it.
However, I have an example VBScript program to retrieve information on all
locked out users linked here:
http://www.rlmueller.net/LockedUsers.htm
The program contacts all Domain Controllers to get the information, so it
can take awhile in a large network with slow connections. One of the
purposes is to identify the DC autenticating the locked out users.
Note that common causes are scheduled tasks or services that attempt to
authenticate with old credentials. Also, persistent drive mappings to shares
that require passwords can cause this.