The AD Account Lockout tool is free and very valuable in troubleshooting account lockouts in Active Directory. This is a task as old as the directory service itself. Even in modern IT architectures, we still face the frustration of a user account repeatedly locking out without a clear source. While we strive for modern identity management, we must often rely on battle-tested tools from the past to solve these on-premises headaches. One of the most effective utilities for this is the Microsoft Account Lockout and Management Tools package.

In this article, we look at how to use these tools to stop the guessing game and identify exactly which Domain Controller is holding the lock.

Introduction on AD Account Lockout

When a user’s account is locked, the information is replicated across Domain Controllers, but the lockout itself usually originates from a specific source—a misconfigured service, a forgotten mobile device, or a stale mapped drive. The standard Active Directory Users and Computers (ADUC) console tells you that an account is locked, but it doesn’t tell you where the bad password attempts are hitting.

The accountlockout.exe package (officially the Account Lockout and Management Tools) provides a set of utilities designed specifically to query all Domain Controllers in your environment simultaneously. This gives you a real-time view of the lockout status and the bad password count across the entire infrastructure.

Understanding the AD Account Lockout

The download from Microsoft is a self-extracting executable that contains several files. The most important one for daily operations is LockoutStatus.exe.

• LockoutStatus.exe This tool provides a graphical interface to examine the state of a user account across all visible Domain Controllers. It shows you the last bad password time, the current lockout status, and the bad password count.
• Acctinfo.dll This is a dynamic-link library that adds an “Additional Account Info” tab to the user object properties in ADUC. It is extremely helpful for viewing password expiration dates and the SID of the user without using PowerShell.
• ALockout.dll This tool is used on the client side to help determine which process is sending wrong credentials.

Step-by-step: Installation and Usage

Download the tool here: https://www.microsoft.com/en-ca/download/details.aspx?id=15201

Follow these steps to set up the tool in your environment. You can also follow along with my video guide provided below.

To launch the file go to C:\Program Files (x86)\Windows Resource Kits\Tools\ and run the lockoutstatus.exe as show in the video below.

The tool will now query every Domain Controller in the domain. Look at the “Bad Pwd Count” and “Last Bad Pwd” columns. The Domain Controller with the highest count or the most recent timestamp is typically where the source of the lockout is located.

You can right-click the user within this tool and select “Unlock” to clear the status across the domain immediately.

Important: If you see the bad password count rising in real-time while the tool is open, you are dealing with an active process or service that is continuously attempting to authenticate.

My recommendations

Use a Management Server and never install these tools directly on a Domain Controller if you can avoid it. Keep your DCs clean and run your troubleshooting utilities from a dedicated management workstation or a jump host.

Get used to work with Event Logs and use the AD Lockout Tool as a support tool. LockoutStatus.exe tells you which Domain Controller is involved, but it doesn’t tell you the source IP address. Once you identify the DC using the tool, go to that specific DC and look for Event ID 4740 in the Security log. That event will provide the “Caller Computer Name,” which is the final piece of the puzzle. To start to learn about Event Logs you can use my guide located here.

While these legacy tools are excellent, you should proactively move toward modern monitoring. Set up alerts for account lockouts in your SIEM or use Azure Monitor to catch these patterns before the user even calls the helpdesk.

Conclusion

The Account Lockout and Management Tools remain an essential part of the IT System Engineer’s toolkit. They provide a level of immediate clarity that the standard management consoles lack. By identifying the specific Domain Controller involved in a lockout, you reduce troubleshooting time and get your users back to work faster.

There are multiple third party tools that do the same job, but this is a free of charge simple and effective GUI tool. It also comes directly from Microsoft, so it can be used on systems with a high security level.

If you have any questions please don’t hesitate to reach out to me on LinkedIn, Bluesky or check my newly created Adaptive Cloud community on Reddit.

LinkedIn: https://www.linkedin.com/in/andreas-hartig/

Bluesky: https://bsky.app/profile/hartiga.de

Adaptive Cloud community on Reddit: https://www.reddit.com/r/AdaptiveCloud/