Audit user account: locking and unlocking

Hello,

I am trying to find the best way to audit not only login/logoff, but all instances of locking and unlocking per user group.

Any suggestions?

Thank you.
exhuserAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

piattndCommented:
This link explains the auditing features within server 2008, but it also applies to 2003.

http://technet.microsoft.com/en-us/library/cc787567(v=ws.10).aspx

The article explains the logon events and also the logon types, to know whether the user was at the actual PC, unlocking the PC, or perhaps logging in to a machine via RDP.

If you have multiple domain controllers, your GDC should have all authentication events, but depending on how fast your logs fill up, you may not get the date range you wish for.

Let us know if you have any other questions!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
exhuserAuthor Commented:
This is for  Windows Server 2003, and workstations pre-Vista...
Will SzymkowskiSenior Solution ArchitectCommented:
There is no real efficent ways (natively) to audit active directory besides going through the Security Logs. This can be a pain when you have multiple DC's in your environment because the log on statistics are local to the DC that user is authenticating to.

You can use something like Account Lockout Status to monitor this but you need to enter in the users names manually to check the status. Not a very efficent way but it can be done.

Account Lockout Status Help - http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
Accoutn Lockout Status DL - http://www.microsoft.com/en-ca/download/confirmation.aspx?id=15201

Personally if you have money in the budget for this I would highly recommend getting something like AD Audit Plus which audit everything in your environment and displays this info in a web based fasion. Its not free but not expensive and they do have a 30 day free trial.

AD Audit Plus - http://www.manageengine.com/products/active-directory-audit/

Will.
compdigit44Commented:
In windows 2003 you could use EventTrigger.exe to "trigger" on evenit 671 "unlock" and 644 "locked" you might be able to use this in Windows 2008 to to the following.

Use EventTrigger to write the event to a text file then use use Windows 2008 ability to email the text file when the event it detected... Hope this makes sense....


http://social.technet.microsoft.com/Forums/scriptcenter/en-US/8ce49282-8b5a-49d3-aadc-1075436f1c82/script-to-generate-alert-when-event-id-triggers-in-windows-server-2003-r2?forum=ITCG
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.