Wednesday, July 17, 2013

Account lockout not recorded in security log

So, when an account is locked-out because too many bad passwords are entered within a configurable timeframe, the domain controller that is being used for the authentication will lock the account for a period of time and record an Event ID 4740 in the domain controllers security log. I recently had a case where the Event ID 4740 was not present in the log.

The reason was the audit policy on the Domain Controller. To fix this, either create a new policy that is linked to the Domain Controllers OU or, if you prefer, edit the Default Domain Controllers Policy in the following way:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

and then set 'Audit Account Management' parameter to audit SUCCESS. (and failure if you like)

Finish with a GPUPDATE /FORCE on the Domain Controller and test by locking a test account.

Cheers!

No comments:

Post a Comment