|
Posted by theta12 on April 3, 2007, 10:34 am
If you were Registered and logged in, you could reply and use other advanced thread options
I'm trying to track account lockouts on my domain. I've turned on
auditing for my domain controllers and am successfully getting audit
data. However, I am unable to generate the 644 event id that says
'Account locked out'. I have success and failure turned on for all
auditing events and have verified that each DC is correctly applying
the policy
All DC's are 2003 servers in a windows environment. I have a test
account that I'm intentionally locking out by entering a wrong
password multiple times. I am getting plenty of other events about
this account (675 - pre-authentication failed when using wrong
password, 539 - account locked out (on the actual server I'm logging
into), 672 - after account is locked out and I try to use correct
password.) but no 644 event are ever generated. I do get a message on
the server that I'm trying to log into that my account is locked out.
If I open ADUC, I can confirm that the account is indeed locked out.
Is there something else I'm missing?
| 
XML site map