Investigate the Cause of User Lockouts on Windows Devices

There’s always a reason for account lockouts, although the root cause may not be immediately obvious. In order to accurately diagnose the source of an end-user lockout, it’s often necessary to investigate at multiple levels, which include reviewing JumpCloud agent logs, local OS log data, and Directory Insights data.

An account lockout notification email is sent to the administrator and the user when an account lockout is triggered for the end-user. The information in the Administrator email will include the locked username and whether the lockout originated from the portal or from a device.

Tip:

Administrators can also customize the Account Lockout Email sent to users, see Customize Email Templates.

The JumpCloud agent log data (jcagent.log / jcagent.log.prev*) will provide information for failed system logins detected at the OS-level including associated processes. This log should always be the first to be collected and examined. 

Windows local operating system log data can be used to correlate any login failures for the local device and associated processes that report failed logins to the local device OS. 

Directory Insights data will provide the ability to see any end-user failed login attempts from either the User Portal or the end-point that the user is attempting to access. 

Note:

Directory Insights is included in some of our package plans. See JumpCloud Pricing for information on our package plans. To enable Directory Insights for your account, current customers can contact us at [email protected].

Gathering Required Information For Investigation

JumpCloud Agent Log Information

The jcagent.log and the jcagent.log.prev (if present) should be collected.

To collect the log from the JumpCloud Admin Console:

  1. Log in to the Admin Portal: https://console.jumpcloud.com/login.
  2. Go to DEVICE MANAGEMENT > Devices, and select Devices tab.
  3. Select the impacted device from the devices list.
  4. Select the Details tab and click the Get agent log button to download the jcagent.log to your device.

Note:
  • This will not pull the jcagent.log.prev if it exists on the device.
  • There is a file size constraint of 1MB when pulling via the Get agent log button. If the 1MB log does not contain sufficient information, an administrator must pull the log manually.

To collect the log files from the device manually:

  1. On the Windows device, open Explorer.
  2. Go to C:\Window\temp and make a copy of the log files.

Windows Event Log Information

To gather and export the Windows Security Event Log:

  1. Click on the Windows Menu, type Event Viewer, and select Event Viewer from the top of the menu. 
  2. In Event Viewer on the left-pane, click and select Security
  3. With Security selected, click the Action menu at the top and choose Save All Events As…
  4. In the save dialog, select the *.evtx format. This will require that the file is opened within the Windows OS but allows for easier review of the log data as opposed to other formats.

Directory Insights Information 

An export of Directory Insight data is also available to send to Support, but can be challenging to review. Whenever possible, narrow the timeframe to correlate with the lockouts experienced by the end user under review, and include a screenshot of the collected log incidents.

When exporting Directory Insight data, please be certain that you have selected a wide enough time frame to capture any related failed login events or other end-user actions that could be informative. Support may request for you to collect additional data with a wider scope if there’s the possibility of missing events per provided output.

  • Service is highlighted with All selected in order to capture both System and User Portal “user_login_attempts”.
  • Event Types can also be set to All but you can also simply select the login event types and lockout events noted.
  • User should be used to narrow the scope of the provided data for review.
  • Device should initially be set to All in case the end-user is bound to multiple machines and there could be associated failed logins on multiple devices.
Back to Top

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case