asked on

active directory

how long the logs are there in domain controller

I want to find the reason for account lockout of one user who was locked yesterday but when searching in security logs cant find it any details

I am searching on my domain controller

yo_bee

This all depends on the settings per log.
Right click each of the logs (The one you are interested in is the security logs) and go to the properties
There are few areas to look at.

Max Log size
Overwrites, archives or Do Not Overwrite

If the setting are the default they are pretty small. If you are looking back a few days you may not have them accessible depending on the settings listed above. You will need to confirm the oldest by going to the first log event in the list.
If you have it set to Overwrite you will need to restore a backup to get the data you are looking for, but if it is archived or do not overwrite you might be in luck.
If it is archived you will need to open the archive EVTX file from the location listed in the properties.

pramod1

ASKER

I am attaching the snap shot, can it be possible that it was over written today as I ran lock out tool it showed yesterday date for that user that is 12/26 ?
C--Users-ic1pxk-Desktop-Capture.JPG

pramod1

ASKER

does it mean size 131702?

yo_bee

this means that your max size of the files is approx. 131 MB, but since this is set to overwrite you may not have the logged events you are looking for depending how far back the log goes. Domain Controller security logs fill up fast since they are constantly authenticating and recording these event.

pramod1

ASKER

just one last question, is there any time frame I can check when the logs were purged

ASKER CERTIFIED SOLUTION

yo_bee

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial