An account lockout can occur for a number of reasons and you need to deal with them quickly. We examine tools for the job.
Here is our list of the best account lockout analyzers:
- ManageEngine ADAudit Plus – EDITOR’S CHOICE This large package of AD-related account management tools includes automated detection and remediation processes for account lockout events. Available for Windows Server, AWS, and Azure. Get a 30-day free trial.
- Netwrix Account Lockout Examiner Examine and analyze each lockout event with this efficient and effective package. Runs on Windows.
- Quest Enterprise Reporter for Active Directory Get assessment reports for a range of account conditions in Active Directory and Entra ID including lockouts. Runs on Windows Server.
- Lepide Active Directory Account Lockout Tool This free utility discovers locked accounts and documents them, providing assistance for investigations into their causes and a method to unlock them. Available for Windows Server.
- Microsoft Account Lockout and Management Tools – FREE TOOL A suite of tools that identifies lockouts and works out the reasons for them. Runs on Windows and Windows Server.
- CJWDEV AD Info A flexible reporting tool that provides on-demand scans of a domain controller, listing accounts by status, including an option for lockout detection. Available in free and paid versions. Runs on Windows.
The main reason that an account gets locked is that the user has entered an incorrect password too many times. This is an important security feature because it blocks a very old hacker technique of trying many passwords until the real one is reached – there are hacker programs available that cycle through a dictionary of words.
The causes of account lockouts
There are genuine reasons for users entering a password that doesn’t match the record in the access rights manager. The user might be a bad typer or might have forgotten the precise combination of numbers and special characters that were inserted in order to meet password complexity rules.
Your access rights management system could have caused the problem. Many systems involve numerous instances of the list of accounts, which in Active Directory is called a “domain controller.” The entries in these different copies need to be the same; they are coordinated through a process called replication. If the replication process breaks down before it has updated all DCs, the user’s password will be different for different resources and applications.
A replication error can result in the account getting locked in some places even though the user entered the correct password – the ARM’s user account record was out of date. Systems that implement single sign-on log the user in automatically, based on one initial login. Uncoordinated and conflicting password records create a chaos of failure notices for innocent users.
Unlock an account
It is relatively easy to unlock an account. The lock is just a flag that is checked – it is one of the many hidden fields on a user account record in Active Directory, called LockedOut. In order to reset this value in Active Directory Users and Computers, you need to go to the Properties popup in ADUC. Click on the Account tab and look for the Unlock account field, which is just above the Account options list box.
If the password recorded for this account in this DC is incorrect, the user will just get locked out again. Remember, a failed replication cycle can result in different passwords being registered in different DCs for an account where the user has recently changed the password.
So, in order to correct a problem, you need to discover in which DCs the account is locked first and then examine the reasons for the lockout. Just unlocking it and telling the user that everything is OK is just going to drive that person mad by restarting the lockout process.
All of this explains why you need an account lockout analyzer. You need to find out where an account is locked and work out why it is locked. Don’t just unlock it and possibly throw that user back into the circle of hell where you can’t get into the system and you’re told it’s all your fault.
The Βest Account Lockout Analyzers
Our methodology for selecting the best account lockout analyzers
There are two phases to account lockout analysis: find out where an account is locked and then find out why it is locked in each place. It would be nice to get all of those tasks completed with one tool, but if we can find a way you can make a saving by splitting the hunt across two tools, we’ll tell you about it. Not all the tools we recommend will cover all of our essential selection criteria:
- A cross-domain scanner for Active Directory
- Live monitoring that will raise an alert when a lockout occurs
- A setting that can provide a list of accounts, only showing where it is locked
- Access to Event Logs to show what happened before the account was locked
- Analysis over time or across domains to identify trends
- A feature to quickly unlock accounts manually or an automated unlock function
- An accessible price or a free tool
1. ManageEngine ADAudit Plus – FREE TRIAL
ManageEngine ADAudit Plus is a security scanning service that plugs into the user data held in Active Directory. The information that this package particularly focuses on is the number of failed logins. The tool also provides an alert if an account gets locked out. It will record the events of a replication cycle, such as the times it ran and whether it produced an error. These few factors alone give you just about all the lockout analysis you need.
Key Features:
- Alerts for lockouts: Find out immediately when an account gets locked
- Locked account history: See the recent events that occurred on a locked account
- Replication details: The tool logs all the events in a replication event
- Failed login attempts report: Get a list of accounts that have experienced excessive successive failed login attempts
- Historical data storage: Recall statistics for activity analysis
Why do we recommend it?
ManageEngine ADAudit Plus provides both live monitoring and reporting functions. The system will give you an alert if a lockout occurs, but that probably won’t happen very often. You can just about eradicate lockout events with this tool by paying attention to its alerts over repeated failed logins and replication errors.
I found that the ADAudit package focuses on user activity because its aim is to identify insider threats and account takeovers. The data this system collects in the course of that remit also helps you to identify the events that can lead to a lockout. The tool automatically logs all the events of a replication action, so you can see straightaway where records syncing failed. Thus, you will be able to fix the types of problems that lead to lockouts and eradicate them before they happen. Excessive login failure is a security issue and should be investigated.
Who is it recommended for?
Any business that uses Active Directory as its access rights manager would benefit from this package. There is a Free edition. However, it is limited to reporting on data that was collected during the free trial of the paid version, so it isn’t worth trying. The Standard edition is accessibly priced for SMEs.
Pros:
- User activity tracking: Implements routines to spot account takeovers and insider threats
- Provides extra logging: Creates audit trails
- Compliance management Suitable for SOX, HIPAA, PCI DSS, GLBA, FISMA, GDPR, and ISO 27001
- Multi-platform: Interfaces with Entra ID and Microsoft 365 on the cloud as well as with Active Directory on your site
- File server security: Logs activity involving files
Cons:
- Focused on Windows and Microsoft products: Weak at securing Linux and macOS systems
ADAudit Plus is a software package that will run on Windows Server, AWS, and Azure. The package is available for a 30-day free trial.
EDITOR'S CHOICE
ManageEngine ADAudit Plus is our top pick for an account lockout analyzer because this package provides live activity tracking and will spot the events that lead to lockouts. It enables an administrator to resolve issues before they trigger a lockout. You need to deal with two possible root causes. The first of these is suspicious activity on login screens. Your access rights manager will lock down accounts if the user gets the password wrong too many times. This lockout is a good thing because it prevents brute-force password cracking attempts by hackers. The other event you need to look at is a failed replication event, which will result in credentials records becoming uncoordinated if a user has recently changed a password. Dealing with such a failure will mean that almost no lockout will occur.
Download: Start a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/active-directory-audit/sem/lp/windows-ad-user-account-keeps-getting-locked-out.html
OS: Windows Server, AWS, and Azure
2. Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner is a useful free tool that shows you which DCs have a given account locked and what happened recently on that account that could explain the status. This is one of those tools that we referred to in the introduction that won’t give you all the functions you need: it doesn’t discover locked accounts.
Key Features:
- Analyze an account: Examine a given account
- Get a report on recent events: Give the tool a number of days on which to report
- Scans through AD records: Will cross domains for its report
- Pinpoint lockouts: Only shows the domains and services where the given account is locked
Why do we recommend it?
Netwrix Account Lockout Examiner gives you the details of an account that you already know has been locked out. You might find out that the account is locked from a user complaint or you could use another tool to scan your domain controllers and get a list.
I noted that the Account Lockout Examiner only lists where a given account is locked and also shows details of the events on that account. This is not as good as a live lockout scanner and the tool doesn’t provide you with a way to discover all locked accounts. However, you can use another free tool on this list to discover locked tools – find out about this later.
Who is it recommended for?
Try out this tool if you have absolutely no budget for system administration tools. This isn’t as good as the ManageEngine ADAudit Plus tool, but it is fast and scans across domains, which saves time.
Pros:
- System-wide scans: Examines all domain controllers in each run
- Provides event details: Shows an explanation of each lockout
- A details screen: Get more event details by pressing a button
- A free tool: There is no paid version
Cons:
- No cloud version: This is only available for installation on Windows
Netwrix Account Lockout Examiner will run on Windows. Download the tool for free.
3. Quest Enterprise Reporter for Active Directory
Quest Enterprise Reporter for Active Directory provides scans of Active Directory. This service doesn’t offer live monitoring like the ManageEngine system. However, you can run the reports on a schedule to create an automated series of investigations and system audits. The list of reports available with the package includes an account lockout list.
Key Features:
- A reporting tool: Not a live monitoring system
- Launch options: Run on demand or on a schedule
- Multi-domain: Scan multiple domains with one report
Why do we recommend it?
Quest Enterprise Reporter for Active Directory implements system-wide scanning reports and also detailed examinations that focus on specific accounts. The package includes a list of pre-written reports and it is also possible to create custom reports. Typically, a report focuses on a specific attribute of an AD user or device record.
I learned that Quest Enterprise Reporter is available for other systems, not just for Active Directory. You can also get the reporting tool for Windows Server, Microsoft 365, Exchange Server, OneDrive for Business, SQL Server, and Windows file storage.
Who is it recommended for?
This is a paid tool, and so many administrators might wonder why they should select this option rather than the Netwrix free tool. However, this package has many AD report formats, supplying auditing functions in addition to account lockout details. Therefore, it provides many more functions than the Account Lockout Examiner.
Pros:
- Pre-written reports: It is also possible to create custom reports
- Account lockout scans: Reports for failed logins
- Administration task tracking: Reports for replication activity
Cons:
- No live monitoring: This is purely a reporting tool
Quest Enterprise Reporter is a software package for Windows Server. You can assess the system with a 30-day free trial.
4. Lepide Active Directory Account Lockout Tool
Lepide Active Directory Account Lockout Tool is a similar tool to the Netwrix Account Lockout Examiner. In fact, the two systems are almost identical. This system is able to report on a given account across domains, listing each location where the account is locked.
Key Features:
- Reports for a specific account: Shows the instances where the account is locked
- Displays the reason for the lockout: Provides a brief description
- Free to use: There is no paid version
Why do we recommend it?
Lepide Active Directory Account Lockout Tool implements an analysis of a specific account by scanning across all the AD instances on your system. It is able to examine cloud-based AD, such as Entra ID and Microsoft 365, as well as your on-premises instances.
I discovered that this service runs a quick scan of multiple domains for locked instances of an account. The interface includes an unlock button. It is also possible to write a report on the locked account to file for auditing purposes.
Who is it recommended for?
This is a free tool and competes directly with the Netwrix Account Lockout Analyzer. In both cases, you need to know the name of an account in order to launch a scan. You would need to pair this tool with CJWDEV AD Info to first discover all the accounts that are locked.
Pros:
- An unlock function: Push a button in the interface
- Save to file: Provided by another button
- Multi-platform: Scans across cloud and on-premises instances
Cons:
- Needs a scanner: Find another tool to identify locked accounts
This tool is a software package for Windows Server and you can download it for free.
5. Microsoft Account Lockout and Management Tools
Microsoft Account Lockout and Management Tools is an account examiner for Active Directory that is produced by Microsoft. The package is able to examine a given account and explain where and why it is locked. The system is actually a suite of programs. This is a free tool.
Key Features:
- A suite of tools: Delivered as a single download with a unified installer
- Scans multiple DCs: Can reach across the network and the internet
- Tracks down the instances where an account is locked: Give it an account name as an input
Why do we recommend it?
Microsoft Account Lockout and Management Tools is provided by Microsoft, the makers of Active Directory, so it is difficult to work out why the company doesn’t include this system in with AD by default. The package performs the same task as the Netwrix and Lepide tools on this list but spreads the functionality over a number of separate utilities.
I observed that this system searches Event Logs, scanning for a given account name and looking for any entries that show that the lockout flag is set. The service will look through the logs of all of your AD instances, including those in the cloud.
Who is it recommended for?
If your company has a Microsoft-only software purchasing policy, then you will go for this tool. It is possible that Lepide and Netwrix simply copied this suite of tools and made their version easier to use by unifying all operations in one interface.
Pros:
- Produced by Microsoft: The same brand as Active Directory
- Runs on Windows: Typical of Microsoft products
- Free to use: There is no paid version
Cons:
- A little old now: Hasn’t been updated since 2019
Download the tool for free and run it on Windows.
6. CJWDEV AD Info
CJWDEV AD Info is the final piece in the puzzle if you are interested in the combo of free tools that I mentioned in the introduction of this guide. This reporting package scans through Active Directory and has a free version. You can specify which attributes the search should report on, and the Account Is Locked Out field is one of them. Run this report first to find all the locked accounts, then examine them one by one with either the Netwrix or Lepide tool.
Key Features:
- Free option: You can get a locked account list with the Free edition
- Results shown in the interface: Save that to a CSV files
- Scan on any attribute: The reporter has many other uses
Why do we recommend it?
CJWDEV AD Info can easily give you a list of locked accounts. You can also use this tool to examine other status problems in AD, such as accounts that have multiple failed logins. There is replication-related in AD that you can extract with this tool for error analysis.
I noticed that this tool doesn’t have a slick interface, but if you use it for free, you can’t expect the earth. The paid version has a few extra benefits, such as the ability to run a report on a schedule and write the output straight to file.
Who is it recommended for?
This tool is recommended for administrators who want an entire lockout detection and resolution suite for free. Use it in combination with Lepide Active Directory Account Lockout Tool or Netwrix Account Lockout Examiner.
Pros:
- Spreadsheet-like output: Scroll horizontally and sort by column
- Customizable report: Write your own query to run as a report
- On-premises software: Runs on Windows
Cons:
- One DC at a time: Doesn’t scan all your DCs in one run
CJWDEV AD Info runs on Windows and you can download it for free.
