Wednesday, February 2, 2011

Active Directory failed logon auditing.

I need to see failed logon attempts and account lockouts in the event log. This was somehow recently disabled. To enable, edit the Default Domain Controllers Policy, NOT the Default Domain Policy.

Computer Configuration / Policies / Windows Settings / Security Settings / Audit Policy

Policy Setting
Audit account logon events Failure
Audit account management Success
Audit logon events Failure

If you are troubleshooting account lockouts, use EventCombMT!

6 comments:

jamsignal.com said...

In 2008, the events to look for are 4740 and 4771. This has changed from 2003.

Anonymous said...
This comment has been removed by a blog administrator.
Steve Schimmel said...

We use netwrix identity management suite for this. It sends automated reports on all failed logon attempts and it says real-time alerts of all account lockouts—it’s a helpful tool that I can recommend. Download it from www.netwrix.com

stealthbits said...
This comment has been removed by a blog administrator.
Unknown said...

Thanks for sharing your problem related to failed logon attempts and account lockouts. I have also faced this problem. I tried this active directory auditing (http://www.lepide.com/lepideauditor/active-directory.html) that helps to audit details on User Logons and Logoffs for different operational requirements and audit specific logon events, logon activity.

smithjake said...

Great, In this article the concept is very clear and helpful. It describes most valuable information related to audit active directory failed logon I found nice information related to this from http://www.esystool.com/know-how-to-track-ad-user-logon-and-logoff-activity/ which get reports and alerts on anomalous logon activity and account lockouts.