The phenomenon of account lockouts is a security feature of most access rights management systems. The usual reason for these lockouts is that the user got the credentials wrong too many times in a row. It happens to all of us. However, one of the standard techniques that hackers use to steal credentials is to just cycle through a series of character combinations until the real password is encountered.
Here is our list of the best account lockout analyzers:
- ManageEngine ADAudit Plus EDITOR’S CHOICE Detects, assesses and remediates account lockouts in Active Directory automatically. This package also provides file protection and user behavior tracking. Available for Windows Server, AWS, and Azure. Get a 30-day free trial.
- Quest Enterprise Reporter for Active Directory This system provides assessment reports for Active Directory and Entra ID (Azure AD). Runs on Windows Server.
- SolarWinds Access Rights Manager An Active Directory management package that provides assessment scans for issues such as account lockouts. Runs on Windows Server.
- Netwrix Account Lockout Examiner This free tool identifies the cause of each lockout. Run on Windows.
- Lepide Active Directory Account Lockout Tool This specialized utility discovers locked accounts assesses the causes, and unlocks them. This utility is available for Windows Server and is free forever.
- CJWDEV AD Info An auditing and reporting tool that will list all locked accounts and other AD problems. Runs on Windows Server.
Without account lockouts, credentials would be easy to crack through brute force attacks, which are automated and cycle through possible values very quickly. So, it might be that the user didn’t cause the lockout – a hacker has attempted to crack the password. It is essential to identify when and where lockouts occur and whether the action was caused by user error or an intruder. This is why it is important to get an automated monitoring tool that can spot lockouts and look into why they happened.
The best account lockout analyzers
Our methodology for selecting an account lockout analyzer for Active Directory
We reviewed the market for Active Directory account lockout analyzers and analyzed the tools based on the following criteria:
- A scanner that can search through Active Directory records
- A directed system that can analyze a given user account
- An auditing utility that can be run on demand or regularly on a schedule
- Investigative tools to identify the reason that an account has been locked
- Remediation automation and reporting options
- A free trial or a demo package that lets you assess the software before paying
- Value for money from an account lockout analysis tool that is offered at a suitable price or offered for free
With these criteria in mind, we looked for systems that at least identify locked accounts so that you can deal with the issues that provided that condition before the users notice. In these financially challenging times, we looked for the best deals for each company size.
1. ManageEngine ADAudit Plus (FREE TRIAL)
ManageEngine ADAudit Plus is a security monitoring package that implements insider threat protection, account takeover detection, and file integrity monitoring. Part of the remit of this package includes the security of records in Active Directory. Analysis of account lockouts is included as part of the AD security management functions of the package.
Key Features:
- Active Directory scanning: Lists locked accounts
- Alerts for lockouts: Draws attention to issues that need to be dealt with quickly
- Lists recent events per account: Shows why an account was locked
- Automated remediation: Immediately unlock the account under given conditions
- Account analysis: Identify patterns in the accounts that got locked
Why do we recommend it?
ManageEngine ADAudit Plus isn’t just limited to monitoring Active Directory. It uses the user account and permissions records in AD to secure files and track user behavior. However, that protection is useless if the contents of AD get corrupted, so the package also implements change tracking and event analysis within Active Directory.
The Active Directory analysis functions in this package have three benefits:
- Detection of account takeover attempts
- Maintenance of account integrity
- Planning for improved user account security
The system also implements user behavior tracking, which identifies insider threats. You also get protection for important files and directories. The scrutiny of files and directories will only be applied to those entities that you register for protection.
Analysis isn’t limited to account lockout records. The tool provides a range of analytical reports that assess activities and events. File integrity monitoring extends to Active Directory domain controllers and enables changes to be attributed to an individual. Changes can also be reversed.
Who is it recommended for?
There are three editions of ADAudit Plus, and one of these is the Free plan. Unfortunately, the account lockout analysis function of the platform isn’t included with that edition and it isn’t available in the first paid plan, which is called the Standard edition. You have to buy the top plan, called the Professional edition, to get the account lockout analyzer.
Pros:
- Protection for Active Directory records: Changes can be undone
- Covers cloud-based Active Directory: Protects Entra ID (Azure AD) as well as on-premises Active Directory
- File integrity monitoring: Register files and folders for protection
- A range of analytical reports: Support for manual analysis
- Alerts for unusual behavior: Attention is drawn to potentially damaging acts
Cons:
- No SaaS option: The package can be run on cloud platforms but on your own account
ManageEngine ADAudit Plus is a software package for Windows Server, AWS, and Azure. You can get a 30-day free trial of the Professional edition, which includes the account lockout analysis service.
EDITOR'S CHOICE
ManageEngine ADAudit Plus provides much more than just an account lockout analyzer. It protects files against damage or deletion and it tracks user behavior to identify insider threats. The account lockout analyzer is part of the suite and analytical services in the package that look for evidence of account takeover. ADAudit Plus also provides protection for Active Directory records. You can use this package for compliance reporting to report according to the requirements of GDPR, GLBA, ISO 27001, FISMA, PCI DSS, SOX, and HIPAA. The package can be used to examine user accounts held in Entra ID (Azure AD) as well as in on-premises Active Directory.
Download: Access a 30-day FREE Trial
Official Site: https://www.manageengine.com/products/active-directory-audit/sem/lp/windows-ad-user-account-keeps-getting-locked-out.html
2. Quest Enterprise Reporter for Active Directory
Quest Enterprise Reporter for Active Directory provides a list of Active Directory analysis reports and it will scan Entra ID (Azure AD) on the cloud as well as on-premises instances of Active Directory. This service is part of Enterprise Reporter Suite that includes units to audit SQL Server, Windows Server, Exchange Server, and NAS and SAN storage systems.
Key Features:
- Active Directory scanning: Also audits Entra ID (Azure AD)
- Security logging: Records changes to AD records
- Identifies administrators: Names the account involved in an AD data change
- Migration tracking: Compares records before and after an update
Why do we recommend it?
Quest Enterprise Reporter for Active Directory is a security scanning package with a range of assessment units that are formatted as reports. In effect, each report, in researching its specific topic, is auditing records in Active Directory. The reporting tool provides launch options so that reports can be run manually or on a schedule.
This system aims to document Active Directory rather than fix its problems. The idea is that once problems such as account lockouts have been revealed by reports, the technician will use other tools to investigate the reasons for these issues and address them.
Who is it recommended for?
This package is able to report on many attributes for Active Directory, Entra ID, and on-premises and cloud-based Microsoft systems, such as Microsoft 365. Therefore, the businesses that would benefit the most from this package would be those that use Microsoft products extensively. Reports extend to the examination of replication and migration, so it covers the statuses of AD administration tasks as well as account and permission records.
Pros:
- Migration reporting: Reveals statuses from replication and migration
- Analyzes multiple products: The full Enterprise Reporter Suite scans many Microsoft products
- Clarifies permissions: Run reports on different permission levels
- SIEM support: Generate logs to feed into SIEM tools
Cons:
- Reporting only: No controls to fix discovered problems
Quest doesn’t provide a price list for the Enterprise Reporter Suite. The software for Enterprise Reporter for Active Directory installs on Windows Server and you can examine it with a 30-day free trial.
3. SolarWinds Access Rights Manager
SolarWinds Access Rights Manager is a very comprehensive Active Directory management service with analysis and reporting features. The package includes two important features that are relevant to account lockout analysis. These are the AD Logga, which records all actions in Active Directory, and the Logbook, which stores and displays all of those events.
Key Features:
- Records all login attempts: Creates a log of failed logins
- Identifies the location of each login: Shows if access attempts are illogically located
- Alerting mechanism: Set up an alert if a lockout occurs
Why do we recommend it?
SolarWinds Access Rights Manager is a large package of Active Directory management tools, but right now, we are just looking at those features that assist account lockout analysis. The package is able to show all the events that caused a lockout because it records every login attempt.
By looking at the login attempts that caused the lockout, an administrator can deduce whether those failed logins were caused by a forgetful user or by hackers. For example, by looking at the actual location of the user at the time of those attempts, you can match to the AD record for that user.
Who is it recommended for?
The SolarWinds package is extensive and is a lot more than just a lockout analyzer. So, buyers of this tool would be administrators who are looking for a full AD management suite rather than someone who just wants a standalone lockout analyzer. The software for this package runs on Windows Server.
Pros:
- Manages AD for multiple products: Looks after accounts for Microsoft products
- Monitors hybrid systems: Reports on Entra ID (Azure AD) as well as Active Directory on-premises
- Analyzes Microsoft accounts: Accesses AD for other systems, synch as Exchange Server
Cons:
- No SaaS version: Only available for Windows Server
SolarWinds offers a subscription rate and a perpetual license price for the Access Rights Manager, so you have purchase options. You can assess this system by getting a 30-day free trial.
4. Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner is a highly appreciated free tool and you will find a number of AD help sites recommend it for examining account lockouts. This tool will just look at one account at a time, so you will need some other package to discover which accounts need to be investigated, or just wait for the locked-out user to get in touch
Key Features:
- Examines a given account: Provides details of events up to the lockout
- Date range options: Limit reporting on an account to a number of days of activity
- Operates across domains: Looks at multiple AD instances
Why do we recommend it?
Netwrix Account Lockout Examiner produces a list of the recent events on an account that triggered a lockout. You just get the connection activity for a single account for a limited recent period. This is an advantage in that you just get relevant information for your current problem.
The problem might be caused by synching errors or old passwords in different instances that haven’t been updated and disrupt coordination between domain controllers. Other reasons can be that the user entered a password incorrectly too many times, or that access was attempted from a remote location with the wrong password.
Who is it recommended for?
This is a great tool for an administrator to have on hand. The tool is an investigative utility, so you need to already know that an account has problems. It won’t provide alerts for new lockouts and it won’t give you a report on all the accounts that are currently locked.
Pros:
- Investigative tool: Looks into a known problem
- Multiple domains: Get the tool to connect to a remote AD instance
- On-premises tool: Runs on Windows
Cons:
- No proactive warnings: Doesn’t notify you when a lockout occurs
This tool is a handy utility rather than an AD management facility. It mines event logs for AD events related to a specific account, so you can only look into one lockout at a time. You will still also need a security scanning tool and an AD management system. Download Netwrix Account Lockout Examiner for free.
5. Lepide Active Directory Account Lockout Tool
Lepide Active Directory Account Lockout Tool is another free service and, like the Netwrix free tool, you will see recommendations for it from existing users on message boards, such as Reddit. This package has more facilities than the Netwrix system because it will scan a domain controller and list all locked out accounts. You can then work through the list to explore the details of each problem account.
Key Features:
- AD scans for locked accounts: Run on demand or on a schedule
- Lockout alerts: Get notified when an account gets locked
- Endpoint scans: Looks for locally cached credentials that could be out of date
Why do we recommend it?
Lepide Active Directory Account Lockout Tool is a really comprehensive Active Directory management package that has a lot of functions around the issue of locked accounts. The package includes scans for lists of locked accounts and live alerts for a new lockout. The tool also looks for causes, such as locally cached credentials and it provides opportunities to reset passwords and clear locks.
This system lets you examine each of the accounts that a scan reveals is locked. The facilities include a list of recent events and issues that could have triggered the lockout. After dealing with these issues, the administrator can clear the lock and reactivate the account. The tool is able to connect to remote AD instances for analysis and resolution.
Who is it recommended for?
This is a really useful tool that provides discovery, investigative tools, and remediation measures. You can also set up live alerts to get notified of each new lockout as it occurs. All of this is offered for zero payment, so any company that uses Active Directory will like this tool.
Pros:
- Administrator tool: Unlocks accounts and rests passwords
- Logs activity: Useful for compliance reporting
- A reputable brand: This tool is used by large organizations, including those in the healthcare sector
Cons:
- No SaaS option: Only available as a free on-premises software package
The Account Lockout Examiner is a free package and it runs on Windows or Windows Server. You can download the system for free.
6. CJWDEV AD Info
CJWDEV AD Info accesses a given Active Directory domain controller and displays all of its contents. The interface provides a search and filter utility, which lets you build a report to explore records. Any of the attributes of a user account can be searched on and so you can gather a list of accounts that are locked.
Key Features:
- An investigative tool: Lets you scroll through AD records and perform analysis
- Searches for locked accounts: Search the DC for all lockouts
- Research support: Mine an account’s records for lockout causes
Why do we recommend it?
CJWDEV AD Info is a data investigation tool that specializes in running queries and presenting the results in the utility’s data viewer as a report. It doesn’t unify records from multiple DCs – you would have to search each individually. However, a lockout is applied within a DC, so the domain-by-domain approach of this tool is still a great help.
The interface for the tool is a little like a spreadsheet or a database table viewer. You can decide which columns to show in records and then print out the display or export it to a CSV file for analysis elsewhere. The package comes with pre-written report formats, and the paid version lets you create your own. The free edition isn’t able to export results.
Who is it recommended for?
The Free edition of this package is pretty comprehensive and you would probably only be interested in upgrading to the full system if you need to export data to read them into other analytical tools. The paid edition is available in a range of perpetual license options that are reasonably priced.
Pros:
- Free edition available: Almost as good as the full package
- AD Account Reset Tool: A companion utility that can also be used for free
- Easy to use: You don’t need any programming skills to create custom reports
Cons:
- On-device system: Will only access AD on the same host
CJWDEV produces a number of AD management tools and other handy tools. You can download most of them for free. The AD Account Reset Tool is a particularly useful free addition to the AD Info package because it provides the option to unlock an account. Other features of that utility include the ability to reset a password.
The software for AD Info will run on Windows but it needs to be on the same host as your AD instance, so you should install it on Windows Server. Download AD Info for free.
