Tracking down Active Directory Lockouts
1 min readOne thing that is really difficult is figuring out the cause of lockouts in your environment. It is very common to find the machine causing lockouts, but not the application. This tip helped me a lot in the past.
On the affected machine run the following command. This will create a debug log for you in %windir%\debug\netlogon.log
nltest /dbflag:0x2080ffff
The logs can be quite verbose though so to turn it off you should run the below command
nltest /dbflag:0x0
It can sometimes still be difficult, but it is much more likely to find the culprit in those logs than try to guess.