Server 2008R2 account lockouts not being logged

I enter 3 incorrect passwords on a terminal server using the RDP client.  3 Audit Failures appear in the security log on the terminal server.  
On the sole DC at that site there is no lockout event logged in the security log nor any audit failures yet the account is locked out.

A user's account is getting locked out and I need to trace the source (the device which caused the account to become locked out).  The user only connects to that Terminal Server yet the account seems to be being locked out from elsewhere as there are no audit failures prior to the lockout on the Terminal Server.

I am seeing a few event 4625 in the security log on the DC but very few and not in the above scenario.

I am looking for the steps in order to trace the source of AD user lockouts.  I also would like to see the audit failures on the DC when authentication fails.

Here is the audit policy on the DC.
C:\Users\Administrator.CORP>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  No Auditing
  Account Lockout                         Success and Failure
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   No Auditing
Object Access
  File System                             Success
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

Open in new window


Thanks
LVL 2
YMartinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
Try if adding the policy

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Configuration -> Logon/Logoff -> Audit Account Lockout: Success, Failure

helps.
0
Will SzymkowskiSenior Solution ArchitectCommented:
I would highly recommend using Active Directory Auditor by Lepide Software.

http://www.lepide.com/lepideauditor/active-directory-auditing.html

From there you will be able to pin point exactly where/why/how the account is being locked out.

Will.
0
btanExec ConsultantCommented:
Here is one nice run through to isolate the more likely culprit machine https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Hence may want to consider the toolkit "Account Lockout and Management Tools" to  assist in managing accounts and in troubleshooting account lockouts as below.
ALoInfo.exe. Displays all user account names and the age of their passwords.

•EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

•EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

•LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.

•NLParse.exe. Used to extract and display desired entries from the Netlogon log files.
http://www.microsoft.com/en-sg/download/details.aspx?id=18465
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

YMartinAuthor Commented:
Thank you all for your posts.

Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Configuration -> Logon/Logoff -> Audit Account Lockout: Success, Failure
is what was used to change the auditpol settings to "Success and Failure" for logon and lockout.

While I am sure a 3rd party tool will work I would prefer to use the software we already paid for to accomplish this.

I have used lockoutstatus however it does not show the source of the lockout beyond the DC which I already know.  EventcombMT is only useful if the events appear in the security log which they do not.

Some setting is not set to log these account lockouts - the group policy settings are not doing what they describe.  My guess is Microsoft changed something with those group policy settings and how they apply on the DC and there is now some other setting I need to set to get this information into the log.

Any further help would be much appreciated.
0
btanExec ConsultantCommented:
Tef beloe link it stated very similar issue and the miss reason is user failed to enable Audit User Account Management.

https://social.technet.microsoft.com/Forums/windowsserver/en-US/42fc5187-0cfd-4cfd-9ca7-96ad82c7cbfa/granular-audit-policies-not-logging-failures-or-lockout

Also this may already be know, if you need to enable/disable auditing in Active Directory, you need to change the default Domain Controller's policy, not the domain policy. This is because the auditing is done on the DCs and it is the default Domain Controller's policy that governs policy on DCs. Likewise, possible can restart which I believe you already done so too...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
YMartinAuthor Commented:
Thank you.  User Account Management did resolve the issue.  The event is logged as 4740 "User Account Management".  That brings the question of what the "Account Lockout" logging does but I now have what I need.

It lists the source as the remote RDP client and does not indicate which terminal server the connection was made to but this will work.  Much appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.