Find Locking Computer Using Event Logs
- Login to the Domain Controller where authentication took place.
- Open “Event Viewer“.
- Expand “Windows Logs” then choose “Security“.
- Select “Filter Current Log…” on the right pane.
- Replace the field that says “<All Event IDs>” with “4740“, then select “OK“.
- Select “Find” on the right pane, type the username of the locked account, then select “OK“.
- The Event Viewer should now only display events where the user failed to login and locked the account. You can double-click the event to see details, including the “Caller Computer Name“, which is where the lockout is coming from.