Solitary account constantly locked. No 4740 event IDs to be found.

I'm hitting a wall with this one.

I have a single AD account, who we can refer to as RWATERS.  RWATERS is constantly getting locked out on a regular basis.  Using the AccountLockoutTool provided my Microsoft, I can see the originator DC for the lockout along with the bad attempts across our 5 DC's.   My problem is that when I get the security logs for ANY of the DC's, I only get 4768 and 4769.  I've remoted into each one individually and used combeventMT and both yield the same results.  Lots of successes, and NO failures.  

 I've updated our default domain policy and set Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy to log Failure for Audit Account Logon Events and Directory Service Access and then ran a gpupdate /force on all the DC's but the results are the same.  

At this point, I'm wondering if I'm experiencing replication issues on my DC's.  However, dcdiag /test:replications on all the DC's come back successful.   Furthermore, it's not widespread.  It's the same account consistently.  

I have co-workers suggesting the nuclear options of creating a new AD account or deleting and recreating the existing one but I'm absolutely not a fan of that.  I'll open a case with MS if it gets that dire, but you guys are the smartest dudes in the room so I came here first.

Any ideas?
emcphailAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris HInfrastructure ManagerCommented:
You can override GPO with local sec pol....  You think that's happening?

Also about the lockouts, I had a similar issue where a misconfigured barracuda was forwarding ldap authentication attempts from outside our organization into one domain controller--the one specified as the LDAP authority for the appliance.  Disabling that feature resolved the issue which sounds strikingly similar to  your circumstances.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
McKnifeCommented:
At the DCs (each) run
gpedit /h %temp%\results.html
Then open %temp%\results.html and see if the correct auditing settings got applied.
emcphailAuthor Commented:
Thanks guys.  It was the local policy overriding the domain policy.  I had made changes to the default domain policy to turn on security logging for failures, but then realized the default domain controller policy was taking precedence over the default domain policy.   Making those changes allowed me to see the proper logging.  Cheers.
MagaduCommented:
Check for 4771 events.

I use small PowerShell script to check for 4771 events (Codes x18 and x12).  My DC do not have any 4740 events (and I never needed it).

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4771
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.