8

I have a user account that keeps on getting locked out. I am trying to find out what caused it. So I want to enabled failure audits in event viewer as a start. But, I don't know how!

How do I enable Audit Failures such that it shows up in the DC's event viewer under Windows Logs > Security?

The steps I have done so far:

  • In the DC, go to Group Policy Management Editor > Default Domain Policy (Linked) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
  • Set the Audit account logon events, directory services access, logon events to "failure". account management is already set to "Success, Failure".
  • In the DC, start the command prompt, type gpupdate.

The event log still shows only Audit Success only, even though it can be checked that my user account is getting bad password count every few minutes or so.

Jake
  • 1,150
  • 6
  • 26
  • 48

6 Answers6

9

Do this on the "Default Domain Controller" Policy to apply to the DC's

MichelZ
  • 11,008
  • 4
  • 30
  • 58
8

Note that in Win2008 server and above, you need to use the "Advanced Audit Policy Configuration" options in the GPO. See screenshot:

Screenshot

Pierre.Vriens
  • 1,159
  • 34
  • 15
  • 19
KERR
  • 365
  • 3
  • 8
2

Yes, you need to edit on Default Domain Controller policy, otherwise you need to create new GPO and link it to the Domain Controllers OU. Once you have done it in any of these two ways, you need to watch the User Account Management events

4740 - for locked out.

4767 - for unlocked.

Refer this article http://www.morgantechspace.com/2013/08/how-to-enable-active-directory-change.html to know how to enable auditing in active directory

and for complete event ID list http://www.morgantechspace.com/2013/08/active-directory-change-audit-events.html

Kombaiah M
  • 151
  • 1
  • 2
0

Indeed, if you need to enable/disable auditing in Active Directory, you need to change the default Domain Controller's policy, not the domain policy. This is because the auditing is done on the DCs and it is the default Domain Controller's policy that governs policy on DCs.

AntoineF
  • 21
  • 2
0

Depending on your AD functional level. For a Windows 2003 Ad functional level, the Audit Policies have to be configured as @Jake said, those are Basic Audit Policies. When it comes to Windows 2008 or higer, you already have Basic Audit Policies and Microsfot added a more complex/grained Audit flavour (Advanced Avanced Security Audit Policy.

As @Kombaiah M said,

you need to edit on Default Domain Controller policy, otherwise you need to create new GPO and link it to the Domain Controllers OU

Be careful with enabling Basic and Advanced audit policies, as you'll have unpredictable results (Special Considerations).

To identify the user locked accounts, you should bear in mind that event ids differ considering the AD functional level. As @Kombaiah M pointed out, the event ids for w2k8 are

4740 - for locked out.

4767 - for unlocked.

If you still have w2k3 domain controllers, the event ids differ from the above:

User account locked out

User account unlocked

Here you have a quite interesting document Video: Auditing vs Advanced Auditing Configurations about Advanced Audit Conf.

fedayn
  • 95
  • 1
  • 7
-1

You can use Microsoft Lockout Status Tool http://www.microsoft.com/en-gb/download/confirmation.aspx?id=15201 to help identify which AD server is recording the bad password attempts, this should help narrow the scope!