Active Directory

How to Track Users With Bad Password Attempts in Active Directory

Frequent bad password attempts are a common cause of account lockouts. While they may result from simple user forgetfulness, they can also signal an attacker attempting to infiltrate your environment. Therefore, it is essential for administrators to track these failed attempts in Active Directory. This guide explains how to find users with bad password attempts in AD to strengthen security oversight and detect suspicious login activity.

Find Users with Bad Password Attempts in Active Directory

Active Directory Permission Required

Account Operators Least Privilege

Administrators Most Privilege

Open the Active Directory Users and Computers console, then right-click Saved Queries in the left pane and select New»Query.
Enter a name and an optional description for the saved query. Make sure to select the Include subcontainers check box and click Define Query.
Select Custom Search from the Find drop-down menu. Then, switch to the Advanced tab and enter the following LDAP query to list all users with bad password attempts in Active Directory.
```
(&(objectClass=user)(objectCategory=person)(badPwdCount>=1))
```
Click OK to save the query, then click OK again to close the configuration window.
Next, select the created query under ‘Saved Queries’ to view all Active Directory users with bad password attempts in the right pane.

Find Users with Bad Password Attempts in Active Directory

Get All Users with Bad Password Attempts Using PowerShell

Active Directory Permission Required

Domain User Least Privilege

Administrators Most Privilege

Although the above method identifies users with bad password attempts, it does not display the last attempt time or the exact count needed for further investigation. PowerShell can be used to automate tracking these details for every user.
If you're working on a non-domain controller machine, ensure that the Active Directory PowerShell module is installed and imported on your computer.
Windows PowerShell
```
 Import-Module ActiveDirectory
```
Then, execute the cmdlet below to list Active Directory users who entered incorrect credentials along with details, such as username, bad password attempt count, last attempt, and locked out status.

Windows PowerShell

 Get-ADUser -Filter * -Properties BadPwdCount, LastBadPasswordAttempt, LockedOut, AccountLockoutTime |Where-Object { $_.BadPwdCount -ge 1 } |Select-Object Name, BadPwdCount, LastBadPasswordAttempt, LockedOut

Get All Users with Bad Password Attempts Using PowerShell

Simple & Quick
List AD Users with Bad Password Attempts Using AdminDroid

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Active Directory Companion.
Navigate to the User Password Details report under the AD Reports» User Password Reports.
Apply the filter for Consecutive Failed Login Attempts greater than or equal to 1 to quickly identify all Active Directory users who had bad password attempts.
This report displays all users with bad password attempts, along with details such as user display name, SAM account name, bad password count, last bad password attempt, last password set, and more.

List AD Users with Bad Password Attempts Using AdminDroid

AdminDroid Active Directory Reports

Effortlessly Track Bad Password Attempts to Boost Active Directory Threat Detection

AdminDroid’s Active Directory reporting tool offers deep insights into bad password attempts, account lockouts, password changes, and more. With these granular reports, you can quickly spot brute-force attacks, unauthorized access, and misconfigured accounts to secure Active Directory and reduce potential security breaches.

Track Daily Failed Logons Due to Bad Password Attempts in AD

Review the daily failed logon summary in Active Directory due to bad password attempts to quickly identify potential password attack attempts, such as brute force attacks, password spraying, etc.

Identify All Locked-Out Active Directory Users To Restore Access

List all locked-out users due to repeated password failures in Active Directory to help administrators quickly identify and restore access with minimal disruption.

Prevent Account Compromise by Initiating Password Resets in AD

Effortlessly reset AD user passwords using AdminDroid after detecting multiple failed password attempts to quickly recover potentially compromised accounts.

Track Password Change or Reset Failures to Spot Unauthorized Attempts

Detect failed password change or reset attempts to identify unauthorized users trying to modify passwords in Active Directory.

Set Password Expiry Notifications For Users to Encourage Timely Updates

Deliver proactive password expiry reminders to alert users ahead of time and prevent failed logins from outdated cached credentials.

Track Active Directory Password Changers to Mitigate Credential Risks

Monitor users’ recent password changes with details like password expiry, last set date, and more to gain insights into password update patterns and promote stronger credential management.

In conclusion, the AdminDroid Active Directory management tool helps administrators enhance account security by offering features like password updates, policy enforcement, and other essential user management actions.

Explore a full range of reporting options

Download Live Demo

Important tips

Enforce strong password policies in your Active Directory environment with a maximum length and complexity to make user passwords harder to guess.

Apply fine-grained password policies through Password Settings Objects to apply custom password and account lockout policies for high-risk or privileged accounts.

Disable outdated authentication protocols like NTLM and LDAP simple bind to reduce exposure to brute-force and credential-stuffing attacks.

Common Errors and Resolution Steps

The following are possible errors that may occur while monitoring bad password attempts in Active Directory.

Error Import-Module: The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory.

This error occurs when you try to import the Active Directory module on a domain-joined computer without installing the Active Directory module.

Fix Make sure the Active Directory module is installed before importing it on a domain-joined computer by using the appropriate cmdlet below for your system type.

# For Windows Server
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

# For Windows client OS (Windows 10/11)
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Error Get-ADComputer: The term 'Get-ADComputer' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs while executing the Get-ADComputer cmdlet without importing the Active Directory module.

Fix Make sure to import the Active Directory module using the cmdlet below.

Import-Module ActiveDirectory

Error Get-ADComputer: Cannot find an object with identity: '<ComputerName>' under: ' <DomainDistinguishedName> '.

This error occurs when you execute the Get-ADComputer cmdlet in the Active Directory PowerShell module with a computer name that does not exist or is misspelled.

Fix Verify the computer name is correct and exists in Active Directory using the cmdlet below.

Get-ADComputer -Filter * | Select-Object Name

Error Set-ADDefaultDomainPasswordPolicy: Cannot find an object with identity: '<DomainName>' under: ' <DomainDistinguishedName> '.

This error occurs when you attempt to modify the default domain password policy using the Set-ADDefaultDomainPasswordPolicy cmdlet, but provide an incorrect domain name.

Fix Make sure to provide the correct domain name after the Set-ADDefaultDomainPasswordPolicy cmdlet to change the policy. You can get the domain name using the cmdlet below.

(Get-ADDomain).DNSRoot

Error The query filter “<Query>” is not a valid query string.

This issue appears when an incorrect LDAP filter is used to search for users with bad password attempts in ADUC.

Fix Make sure the query filter is correctly formatted without typing and spacing errors, as mentioned below.

(&(objectClass=user)(objectCategory=person)(badPwdCount>=1))

Error The Event Log query specified is invalid.

This error occurs when you try to filter the event logs manually in Event Viewer with an invalid XPath in the XML tab.

Fix Make sure to enter a valid query while filtering in the XML tab using proper XPath syntax.

Error Set-ADDefaultDomainPasswordPolicy: The requested operation did not satisfy one or more constraints associated with the class of the object.

This error occurs while trying to set the threshold greater than the given limit for the account lockout threshold.

Fix Make sure to enter the account lockout threshold values between the range of 1 and 999 while updating or setting the threshold values.

Active Directory

Frequently Asked Questions

Monitor Bad Password Attempts in Active Directory to Secure User Accounts

How to audit the users with bad password attempts of all Active Directory users?

How to change the Active Directory bad password attempts threshold?

How to monitor the bad password count for computers in Active Directory?

How to differentiate between a user mistyping a password and a potential attack?

1. How to audit the users with bad password attempts of all Active Directory users?

In Active Directory, users may repeatedly fail to log in due to incorrect passwords, and these attempts are recorded by the domain controller. Simply tracking affected users is not enough; auditing exact failed logon events is crucial. Detailed event logs help admins investigate primary causes like incorrect passwords, forgotten passwords, potential attacks, and more. This enables quick action to secure accounts and maintain a safe environment.

Monitor the bad password attempts of Active Directory users in the Event Viewer

Open the Event Viewer from the Start menu and navigate to the Windows Logs»Security.
Then, select 'Filter Current Log ' from the Actions pane and switch to the XML tab.
Enable Edit query manually checkbox placed at the bottom to edit with XML. Kindly note that after doing this, the Filter tab will no longer be available for use.

Now, paste the XML query given below and click OK to view all Active Directory failed logon attempts caused by bad passwords. These are filtered by Event ID 4625 and sub-status code '0xC000006A'.

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
      *[System[(EventID=4625)]] and
      *[EventData[Data[@Name='Status'] and (Data='0xC000006A')]]
    </Select>
  </Query>
</QueryList>

view-bad-password-attempts-in-event-viewer

Now, from the list of login failures due to bad password attempts, click on an event to investigate details such as the account name, logged time, logon type, and more.

Audit bad password attempts in Active Directory using PowerShell

While Event Viewer helps check bad password attempts on a single machine, it becomes time-consuming across multiple DCs. To overcome this limitation, PowerShell offers a faster, scalable way to retrieve these logs.

Execute the script below in every domain controller to get all bad password attempts of users in your Active Directory.

$results = foreach ($dc in (Get-ADDomainController -Filter * | Select-Object -ExpandProperty HostName)) {
    Get-WinEvent -ComputerName $dc -FilterHashtable @{LogName='Security'; ID=4625} |
    Where-Object { $_.Properties[9].Value -eq "0xC000006A" } |
    Select-Object TimeCreated, 
        @{Name='User'; Expression = { $_.Properties[5].Value } }, 
        @{Name='Computer'; Expression = { $_.MachineName } }
}
$results

audit-bad-password-attempts-using-powershell

Easily identify bad password login failures with AdminDroid in just a few clicks!

With the invalid login attempts report, you can filter all login failures due to bad password attempts using the Failure Sub Status filter.
It also includes details such as logon time, logon username, event ID, failure reason, failure sub status, and more.

analyse-bad-password-attempts-using-droid

2. How to change the Active Directory bad password attempts threshold?

Sometimes users get locked out of their Active Directory accounts after just a few incorrect password attempts, which often happens when passwords are forgotten. This can happen when the account lockout threshold is set too low. However, a threshold that is too high may open the door for attackers, so admins need to balance security and usability by adjusting it in Group Policy.

Set bad password threshold in Active Directory with GPMC

Open the Group Policy Management Console (GPMC).
In the left pane, expand your Forest, then expand Domains and select your domain.
Next, right-click Default Domain Policy and choose Edit to open Group Policy Management Editor.
Then, navigate to Computer Configuration»Policies»Windows Settings»Security Settings»Account Policies»Account Lockout Policy.
Now, double-click the Account lockout threshold, set the number of failed attempts, and then click OK and Apply.
By default, the threshold is 0 invalid attempts, so accounts are not locked out unless configured. So, you can apply values from 1 to 999. Microsoft recommends configuring the threshold as 10 and the duration to 15 minutes for preventing brute-force attacks.
Finally, run gpupdate /force to immediately apply the policy.

Note: The default domain policy applies these settings to all computers in the domain. To target specific computers with different policies, you can create separate GPOs and link them to the respective OUs.

Modify account lockout threshold with Active Directory PowerShell

PowerShell offers a quicker way to set the account lockout threshold without navigating through GPMC by directly accessing the GPO.

Run this cmdlet after replacing <ThresholdValue> with your limit and <DomainName> with your domain name to change the bad password attempt threshold in the default domain policy.
```
Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -LockoutThreshold "<ThresholdValue>"
```

To verify the current account lockout threshold value, you can execute the cmdlet below.

Get-ADDefaultDomainPasswordPolicy | Select-Object LockoutThreshold, LockoutDuration, LockoutObservationWindow

Note: You can set values above 999 (up to 65,535) using PowerShell, but a threshold of 10 attempts is recommended for balanced security and user experience.

3. How to monitor the bad password count for computers in Active Directory?

A computer in Active Directory can cause account lockouts due to misconfigured services, malware, or incorrect passwords. An increasing bad password count often signals issues like synchronization delays, cached credentials, or replication problems.

These issues should not be ignored, as they can compromise network security and impact overall system performance. As an admin, you need to monitor the bad password count for a computer to quickly resolve these types of problems and strengthen Active Directory security.

Monitor the bad password count for the computer in ADUC

First, open the Active Directory Users and Computers console, then right-click Saved Queries and choose New» Query.
Enter the name and an optional description. Tick the Include subcontainers checkbox, and click Define Query.
Select Custom Search from the Find drop-down menu. Then, switch to the Advanced tab and enter the following LDAP query to display all bad passwords attempted computers in Active Directory.
```
(&(objectCategory=computer)(badpwdCount>=1))
```
Click Ok to save the query and then select the created query to list all computers with bad password attempts.

bad-password-attempted-computers-using-aduc

Track the bad password count for the computer using PowerShell

Run the following cmdlet after replacing the <ComputerName> with the actual computer name to get its bad password count.

Get-ADComputer -Identity <ComputerName> -Properties badPwdCount | Select-Object Name, badPwdCount

bad-password-count-for-computer-via-psscript

To list all bad passwords attempted computers, you can use the following cmdlet.

Get-ADComputer -Filter {badPwdCount -ge 1} -Properties badPwdCount | Select-Object Name, badPwdCount

4. How to differentiate between a user mistyping a password and a potential attack?

Imagine an employee repeatedly fails to log in to their account. Some attempts happen because of mistyped passwords, while others may indicate a brute-force or targeted attack. IT admins must examine the source, time, and frequency of failed logons to identify the cause. Accurate analysis helps protect accounts without causing unnecessary disruptions in your organization.

The following table summarizes key factors to differentiate between simple user errors and potential attacks for helping admins quickly identify suspicious activity in Active Directory.

diff-btw-user-mistyped-and-potential-attack