Finding the source for locked AD account from Event Viewer log on Domain controller

It’s actually really simple, but you’ll need administrator access on the domain controller in order to read the security event log so you might have to consult upper sys admins.

It seems to not want to filter/sort by username though so if you’re managing a huge enterprise with thousands of users this could be a bit tedious. On the other side, if that’s the case I suppose you already have better tools for the job.

Anyway, all invalid login attempts are logged as event id 4776 (Credential Validation).

  1. Open Event Viewer and connect to domain controller
  2. Go to Windows Logs -> Security
  3. Click on Filter Current Log... in the right navigation menu
  4. Enter 4776 into the input field which says <All Event IDs>
  5. Browse through the invalid login attempts till you find the one which belongs to your user and look in the description text field where it says “Source Workstation:    hostname”

List members of AD group

Example

Open the Powershell shell (pun intended) on your domain controller and run the following command:
Get-ADGroupMember 'groupname'

This will list all members of the ‘groupname’ group in your shell. List pipe it into a text file instead:
Get-ADGroupMember 'groupname' > list.txt

We don’t need those unecessary columns though, so let’s just list the NAME column and nothing else:
Get-ADGroupMember 'groupname' | select name > list.txt

Troubleshooting

Run the shell as admin…