Wednesday, February 2, 2011

Active Directory failed logon auditing.

I need to see failed logon attempts and account lockouts in the event log. This was somehow recently disabled. To enable, edit the Default Domain Controllers Policy, NOT the Default Domain Policy.

Computer Configuration / Policies / Windows Settings / Security Settings / Audit Policy

Policy Setting
Audit account logon events Failure
Audit account management Success
Audit logon events Failure

If you are troubleshooting account lockouts, use EventCombMT!


Posted by at

4 comments:

jamsignal.com said...

In 2008, the events to look for are 4740 and 4771. This has changed from 2003.

February 21, 2011 10:47 AM
1ea8b5d0-9045-11e0-a60f-000bcdcb8a73 said...

I also recommend NetWrix Account Lockout Examiner for troubleshooting account lockouts. It’s saved our helpdesk hours’ worth of time.
Download it from www.netwrix.com

June 14, 2011 11:22 AM
Steve Schimmel said...

We use netwrix identity management suite for this. It sends automated reports on all failed logon attempts and it says real-time alerts of all account lockouts—it’s a helpful tool that I can recommend. Download it from www.netwrix.com

December 3, 2011 12:41 PM
stealthbits said...

Hi Dude,

When it comes to IT security through Active Directory, the boxes of many in a box theory is introduced. Asecurity group can be marked and this may be part of another security group. Thanks!

Exchange Folder

March 26, 2012 7:41 PM

Post a Comment

Subscribe to: Post Comments (Atom)