Identify from where an AD account was locked out


After enabling password lockouts in our company AD, my account got locked out from time to time. After some searching I finally found out that on a Windows Server 2012 the magic event ID to check is “4625”. It will tell you from which IP the login request, that lead to the lockout, originally came from.

BTW: In my case it was an unused but configured Nextcloud app on my mobile.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.