Active Directory 2008 Enable Account Lockout Auditing

Jack_son_
Jack_son_ used Ask the Experts™
on
Hi,

How can I enable the account lockout events in the eventviewer in AD 2008.  Also, what event id's are related to user account lockout?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2013
Commented:
Have a meeting so I can't write more now but look at this  http://www.windowsitpro.com/article/auditing/access-denied-auditing-user-account-lockouts.aspx

I think the event is 644    I'll try and test later to make sure

Thanks

Mike
Commented:
mkline is correct, event ID 644;
http://www.eventid.net/display.asp?eventid=644&eventno=227&source=Security&phase=1

How to enable logging of these events;
To effectively troubleshoot account lockout, enable auditing at the domain level for the following events:
Account Logon Events – Failure
Account Management – Success
Logon Events – Failure

http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx

To modify the GPO for the settings;
http://technet.microsoft.com/en-us/library/cc775412(WS.10).aspx

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial