Tip: Sometimes, you can see events 4740 (lockout) with caller computer name blank :
For this post, I copied the netlogon log (%windir%\debug\netlogon.log) to my test workstation (C:\Logs )
|
1 2 3 4 5 6 7 8 |
# Enable netlogon verbose logging on Domain Controller nltest /DBFlag:2080FFFF # Search entries with the username "jsmith" Select-String -Path C:\Logs\netlogon.log -Pattern 'jsmith' # Disable netlogon verbose logging on Domain Controller nltest /DBFlag:0x0 |
The issue was that this user changed his password but he left a session (Terminal Server) on a server using his old password.
Terminating the session resolved the issue.
