When there are too many login attempts occurred, the account used to attempt will get locked out. By default, after 5 bad password attempts the domain account will be locked out by the Active Directory server. To get to the bottom of why the account is being locked out, here are a few tips and tricks you can try.
Which domain controller has PDC Emulator Role
Running the follow PowerShell cmdlet will let you identify which domain controller possesses the PDC Emulator Role
(Get-AdDomain).pdcemulator
Where is the account getting locked out
Once find which domain controller has the PDC Emulator role, open the Event Viewer on that server and look for all events that have the ID “4740” in the Security log.
Then, double-click the event to open it up, you will find out on which machine the account was getting locked out.
Once identified, you can unlock the account to re-enable the user.
The Account Lockout tool
Microsoft has a free portable tool called Account Lockout tool that is quite useful to identify the reason why and when a specified account is locked out.
Run the tool on a domain controller, specify the account ID and it will take care the rest.
