Hi I downloaded the free version of Netwrix account lockout examiner in order to troubleshoot few users account that are always locked out. I tried to look for the workstation but the workstation gave me that blank answer. Is there anyone can help me to show which machine caused the user account locked out? I meant enabled the feature on the software.
Account lockout examiner gets the workstation from the 4740 event ID on the domain controller which processed the lockout ( If we show workstation as blank then that means that the event ID has a blank workstation. However if you pull up that event on the DC then it may have an IP address associated with the device. If I had to guess it is a non microsoft windows device and that is why windows doesn't have a workstation name.
The software gets data based on the actual security log of DCs. If there is no data there, it cannot automatically find the source.
You can of course point it to specific machine manually to examine it, as you most likely did with the user`s workstation, but if no data present in logs this can only be done manually.
As mentioned you can check if there 4740 events on your DC related to the account has some information inside.
Also you can try searching authentication events like 4771 or 4776 related to the account.
It can be different things. Check if the user has a device logged on to a wireless network ( check logs on radius server). Old devices that they use at home with WIFI are another.