So, when an account is locked-out because too many bad passwords are entered within a configurable timeframe, the domain controller that is being used for the authentication will lock the account for a period of time and record an Event ID 4740 in the domain controllers security log. I recently had a case where the Event ID 4740 was not present in the log.
The reason was the audit policy on the Domain Controller. To fix this, either create a new policy that is linked to the Domain Controllers OU or, if you prefer, edit the Default Domain Controllers Policy in the following way:
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
and then set 'Audit Account Management' parameter to audit SUCCESS. (and failure if you like)
Finish with a GPUPDATE /FORCE on the Domain Controller and test by locking a test account.
Post a Comment