Identify from where an AD account was locked out

Standard

After enabling password lockouts in our company AD, my account got locked out from time to time. After some searching I finally found out that on a Windows Server 2012 the magic event ID to check is “4625”. It will tell you from which IP the login request, that lead to the lockout, originally came from.

BTW: In my case it was an unused but configured Nextcloud app on my mobile.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *