When an account lockout occurs, you can unlock it but it will lock again if you don’t resolve the cause. We investigate the best account lockout analyzers.
Here is our list of the best account lockout analyzers:
- ManageEngine ADAudit Plus – EDITOR’S CHOICE This security bundle specializes in logging user activity to look for insider threats and account takeovers. Failed logins and lockout are part of this tool’s specialization. Runs on Windows Server, AWS, and Azure.Start a 30-day free trial.
- Netwrix Account Lockout Examiner Gather data on a lockout that occurred for a specified account. Runs on Windows.
- Microsoft Account Lockout and Management Tools A bundle of free utilities that implement investigations into a lockout on a given user account. Runs on Windows and Windows Server.
- Quest Enterprise Reporter for Active Directory This too offers a menu of AD scans, producing reports on issues such as lockouts. Runs on Windows Server.
- SolarWinds Access Rights Manager A front end to manage multiple Active Directory instances that includes alerts and analysis for lockouts. Runs on Windows Server.
- Lepide Active Directory Account Lockout Tool A free scanner that discovers locked accounts and information on possible reasons, plus an unlock method. Available for Windows Server.
- CJWDEV AD Info This package provides a menu of reports with results that can be shown in the interface or written to file. Available in free and paid versions. Runs on Windows.
A lockout will occur if a synching process fails, leaving one application expecting an old password. A user, not knowing of the problem, will use the new password repeatedly, resulting in excessive failed attempts and a locked account.
It can be relatively simple to discover a locked account and make it available again. However, without information on why the account is locked, the problem will happen again. Although a lack of coordination between operating units of an access rights manager is the most frequent cause of lockouts, there could be other reasons. Account lockout tools identify which instances have issues.
These tools represent a good range of systems, from AD management and user tracking packages through to free tools for quick investigations.
The Best Account Lockout Analyzers
Methodology for selecting the best Active Directory reporting tool for your business
You can get account lockout analysis from a range of tools. We identified some important features to consider when selecting tools for inclusion on this list:
- A reporting tool for Active Directory investigations
- Extracts from Event Logs for lockout causes
- Options to scan all of an AD operating unit
- A scanner that can search across domains
- Options to run reports on demand or on a schedule
- Facilities to store data to analyze activity patterns
- Value for money from a competent account lockout scanner or a handy free tool
Our list includes Active Directory management tools, domain scanners, and investigative utilities that will focus on one, nominated account.
1. ManageEngine ADAudit Plus – FREE TRIAL
ManageEngine ADAudit Plus is designed to detect insider threats and account takeovers. As the “AD” in the tool’s name suggests, this package is based on data held in Active Directory. It records incidents, such as failed login attempts, and also continuously scans for account lockouts. While tracking activity for security purposes, this tool is also useful for assisting genuine users with account access problems.
Key Features:
- Continuous scanning of Active Directory: Will alert immediately when an account gets locked
- Fail login tracking: Could possibly provide immediate reasons for the lockout
- Log scanning: Lists all the events recently occurring on a locked account
- Activity pattern analysis: Examine patterns of lockouts across accounts and over time
- Automated responses: Set up scripts to implement mitigating actions automatically
Why do we recommend it?
ManageEngine ADAudit Plus is a security package, and the issue of account lockouts can sometimes be an automated system response to a password cracking attempt. In order to block the possibility of intruders trying numerous passwords to try to get into an account, Active Directory places a limit on the number of attempts that can be made. This locks the account when the limit is reached. Information on any such event will explain a lockout.
I found that this system is the most sophisticated account lockout analysis tool on this list. The system will detect a lockout, and so you won’t need to wait for a user to report a problem before the account can be investigated. An alert mechanism can be managed to automatically write out logs and you can also attach scripts to an alert condition to get an account unlocked.
Who is it recommended for?
This is a useful package for any size or type of business that uses Active Directory as an access rights manager. There is a Free edition available, but that won’t query logs, which is an essential function, and so small businesses should consider opting for the Standard edition instead.
Pros:
- Extensive security features: Includes insider threat detection, account takeover analysis, and file integrity monitoring
- Activity logging: Records the actions that could have caused the lockout
- Compliance reporting: For HIPAA, PCI DSS, SOX, GDPR, GLBA, FISMA, and ISO 27001
- Account takeover assessment: The lockout could be a security measure
- Run on premises or on the cloud: Available for Windows Server, AWS, and Azure
Cons:
- Doesn’t track replication errors: A password error could be due to incomplete synching
The ADAudit Plus software package is available in three editions: Free, Standard, starting at $595 per year, and Professional, starting at $945 per year. It is compatible with Windows Server, AWS, and Azure. ManageEngine provides a 30-day free trial for the Standard edition.
EDITOR'S CHOICE
ManageEngine ADAudit Plus is our top pick for an account lockout analyzer because this tool is constantly active, monitoring all user activity including login events. The benefit of this security monitoring is that one of the major causes of account lockouts – failed logins – has already been documented before you even find out about the problem. The system will raise an alert when a lockout happens, so you can deal with the issue before the users get in touch. The service is able to automate logging, reporting, and remediation. It has many other monitoring capabilities, such as file integrity monitoring and insider threat detection. The tool will automatically generate documentation for compliance reporting. This package is well-supported by ManageEngine and is regularly updated to keep pace with emerging threats.
Download: Access a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/active-directory-audit/sem/lp/windows-ad-user-account-keeps-getting-locked-out.html
OS: Windows Server, AWS, and Azure
2. Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner is a useful tool to have on the computer in case of an account lockout. You give this utility an account name and it will investigate where the account is locked. It will also scan through Event logs to extract relevant information on the problematic account. This is a free tool, so it costs you nothing to download it and keep it available.
Key Features:
- Scans across domains: Looks at the status of the same account in different DCs
- Time-based reports: Provide a date range
- Lists locations where the account has problems: Identifies each lockout on an account
- Examines event log: Shows details of each lockout
Why do we recommend it?
Netwrix Account Lockout Examiner provides an analysis of a user account that is known to be experiencing problems. The service isn’t able to scan an OU for locked accounts – you have to give it an account to look at. The tool will look through all the domains that you operate and report on the status of the given account in each location.
I noted that this is a free tool and it is provided by a respected brand. So, it is a good offer. However, you would need to know that an account is in trouble before you can use it. You don’t get an automated ARM-wide scanner to proactively identify locked accounts.
Who is it recommended for?
Anyone would benefit from downloading this tool. The only problem with the utility is that it won’t detect lockouts, so you will rely on complaints by users to find out about a lockout. Nonetheless, this tool will help with quick investigations once an account is known to have problems.
Pros:
- System-wide analysis: Shows each location where the account is not working
- Investigates a specific account: Provides details of any lockout
- Downloadable software: Installs on Windows
- A free tool: There is no paid version
Cons:
- No version for Linux or macOS: Not available on the cloud
The Netwrix Account Lockout Examiner is permanently free to use and is only available for Windows. You can download the tool for free.
3. Microsoft Account Lockout and Management Tools
Microsoft Account Lockout and Management Tools is a free package of tools and its advantage is that it is provided by the makers of Active Directory. The tool has a number of disadvantages, though, which is the reason it didn’t make our top spot. The software hasn’t been updated since 2019 and it is split across several utilities. However, the package is free to use, so it will appeal to many cash-strapped administrators.
Key Features:
- A package of tools: All units are packed into a single installer
- Searches across DCs: Looks in all instances for a given account
- Provides Event Log extracts: Displays events related to a lockout
Why do we recommend it?
Microsoft Account Lockout and Management Tools is a free set of tools that enables an investigation into a given account. It will show all the locations where the account is locked. The utility pack also enables research into the reason for the lockout.
I learned that, as with the Netwrix utility, you need to know that an account is locked before launching this utility and you need to give it the name of the account. In fact, this utility provides exactly the same functionality as the Netwrix system, only spread over a number of utilities. This means you have to open several interfaces in order to investigate a locked account.
Who is it recommended for?
This is a great tool for investigating an account that you already know has a problem. It will show whether the account is actually marked for lockout and if it isn’t, you will need to do some more digging. This on-premises bundle of utilities is similar to the Netwrix tool, which is able to perform the same function within a single interface.
Pros:
- Supplied by Microsoft: A reliable brand
- Available for Windows: It can reach across the network and the internet to other platforms
- Free to use: Permanently free – there is no paid version
Cons:
- Spread across several utilities: Other free tools on this list perform the same function within one interface
The Account Lockout and Management Tools bundle is permanently free to use and installs on Windows. You can download the tool for free.
4. Quest Enterprise Reporter for Active Directory
Quest Enterprise Reporter for Active Directory provides investigations into different aspects of AD records through a reporting mechanism. The package is suitable for companies that run multiple instances of Active Directory, including Entra ID (Azure AD) on the cloud. The menu of pre-written reports includes a scan for account lockouts.
Key Features:
- A menu of pre-written reports: A long list of AD scan options
- Scans cloud instances as well as on-premises AD: For Active Directory and Entra ID
- Time-based comparisons: Take two snapshots and compare them
Why do we recommend it?
Quest Enterprise Reporter for Active Directory is an analysis tool for Active Directory that takes the form of a reporting system. The account lockout report is one of the reports available in this menu. This is an on-premises package but it is able to include cloud-based Active Directory instances in its searches.
I discovered that the Quest Enterprise Reporter package is available to analyze a number of different systems other than Active Directory. It scans through Microsoft products, such as Microsoft 365, Exchange Server, Windows Server, OneDrive for Business, SQL Server, and Windows file servers. Effectively, these tools provide on-demand analysis of system statuses.
Who is it recommended for?
This system is a paid tool but it has an advantage over the free systems that we have already looked at in this list because it is able to scan across OUs and discover locked accounts. It is able to spot issues such as the same account name with different passwords in different DCs, which will lead to lockouts. So, it can spot lockouts and their causes before the users complain.
Pros:
- Identifies the causes of lockouts: Can spot problems that will lead to lockouts
- Scheduled reports: Reports can also be run on demand
- On-premises software: Runs on Windows Server
Cons:
- No live monitoring: Problems will only be discovered when a report runs
To get the price for Quest Enterprise Reporter, contact Sales. The software is a package for Windows Server and is available for a 30-day free trial.
5. SolarWinds Access Rights Manager
SolarWinds Access Rights Manager gives you an administrator console for Active Directory management. Active Directory doesn’t offer a dashboard as good as this. As well as enabling the exploration of records, mass uploads, and bulk updates, the tool includes a reporting module and an alerting mechanism. Both the reports and the alerts can be used to highlight account lockouts and their causes.
Key Features:
- A management interface of Active Directory: Fronts for multiple AD instances
- Cross-platform monitoring: Manages Entra ID instances on the cloud as well as on-premises Active Directory
- An account unlocking function: A point-and-click action
Why do we recommend it?
SolarWinds Access Rights Manager is a better management console for Active Directory than the native screens that come with the access rights manager. The service includes alerts for lockouts and they can also be set up for the causes of lockouts, such as failed replication and failed login attempts.
The Access Rights Manager monitors AD constantly and it provides reports that can be run on demand or on a schedule.
Who is it recommended for?
This package is suitable for larger organizations. SolarWinds doesn’t offer a free edition for small businesses, and there is no subscription option. You have to buy the software on a perpetual license and it is only available for Windows Server.
Pros:
- Records failed login attempts: These will get the account locked automatically
- Notes failed replication events: This can cause lockouts
- Alerts account lockouts: Shows which account is locked in which DCs
Cons:
- Not a SaaS package: Only available as an on-premises software package.
Access Rights Manager pricing starts at $2,083. The software runs on Windows Server and is available for a 30-day free trial.
6. Lepide Active Directory Account Lockout Tool
Lepide Active Directory Account Lockout Tool is similar to Netwrix Account Lockout Examiner. This tool will scan all DCs for lockouts on a given account.
Key Features:
- Examine the status of a specific account: Scans across domains
- Highlights problems: Only lists instances where the account is locked
- Adds Event Log extracts: Provides background for a lockout
Why do we recommend it?
Lepide Active Directory Account Lockout Tool is a free utility that looks through all AD instances for a given account. If the account is locked in an instance, that location is listed in the report output. The tool will show results in the interface and can then write them to a file.
I noticed that an account might not be locked everywhere, so the tool will only show instances where problems exist. An unlock button in the interface enables manual mitigation.
Who is it recommended for?
This is a free tool that is identical to the Netwrix Account Lockout Examiner. You won’t need both, but you can download the two tools for free and assess them side by side to see which you prefer.
Pros:
- Easy to unlock an account: Use the unlock button in the utility’s interface
- View lockout data in the utility: Optionally, save details to file
- A free tool: There is no paid version
Cons:
- Only investigates a given account: The tool doesn’t scan the entire DC for lockouts
Lepide Active Directory Account Lockout Tool is free to use. The software is available for Windows Server and can be downloaded for free.
7. CJWDEV AD Info
CJWDEV AD Info provides a Free edition that implements DC-wide scans. This reporting package is able to detect account lockouts and also the circumstances that cause them. Reports can be run on-demand or on a schedule.
Key Features:
- On-demand and scheduled reports: Provides status scans
- Data viewer: Show reports in the dashboard
- Flexible reports: Check a box for each attribute that you want to see
Why do we recommend it?
CJWDEV AD Info can complement the free Netwrix and Lepide tools. This tool provides a report that scans a DC for locked accounts. You can then use that information to launch Lepide or Netwrix to examine one of the discovered problem accounts.
I found that this tool doesn’t scan AD for live monitoring. It runs searches on demand as part of a reporting function. However, you can set up reports to run on a schedule, which will enable you to discover lockouts.
Who is it recommended for?
Both the free and paid versions of AD Info are useful for administrative investigations. Set up key reports to run on a schedule to reveal problems in the operations of your Active Directory instances.
Pros:
- Free version: Includes the reporting module
- Login analysis: List failed logins
- On-premises software package: Runs on Windows
Cons:
- Scans one DC at a time: Won’t search across DCs
CJWDEV AD Info offers several pricing options: Free edition at $0, Single User License at $59, Consultant License at $99, Site License at $195, Enterprise License at $395, and Unlimited Consultant License at $435. The software runs on Windows, and you can download the free edition.
