Cannot find account lockout in Event viewer
I'm having trouble finding information of where/when an account that was locked out today from my domain controller's Event viewer. I noticed it was locked out, went into the event viewer of the domain controller, in the Windows Logs/security logfile but could not find any events that showed who/when the the account was unsuccessfully logged into to lock out the account. I checked the audit policy on my domain controller auditpol /get /category:* and I have Logon/Logoff = success and failure, and Account lockout = success turned on. What am I doing wrong? I have three DC's in my domain.. Is it possible that the login attempts were handled by one of the other DC's and that's why I'm not finding anything on my DC? William McConnell
November 19th, 2010 4:28pm

Hi, Did you receive any error during logon on with the problematic account? To effectively troubleshoot account lockout issue, we need to enable auditing at the domain level for the following events: Account Logon Events Failure Account Management Success Logon Events Failure Process tracking Success (only relevant on Windows Server 2003) For more information, please refer to the following support article: Maintaining and Monitoring Account Lockout http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx Please check the “Enable Auditing at the Domain Level” and “Analyzing Event Logs” section. For your information, after you set the auditing and logging, wait until account lockouts occur. When the account lockout occurs, retrieve both the Security event log and the System event log, as well as the Netlogon logs for all of the computers that are involved with the client's lockout. This includes the PDC emulator operations master, the authenticating domain controller, and the client computers that have user sessions for the locked-out user. If any trouble is encountered, please let us know. If any error is showed, you can paste the log here for research. Thanks. NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2010 5:05am

Check out an article I have on User Account Lockout Troubleshooting at: http://www.pbbergs.com/windows/articles.htm -- Paul Bergson MVP - Directory Services MCITP: Enterprise Administrator MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, Vista, 2003, 2000 (Early Achiever), NT4 http://www.pbbergs.com Twitter @pbbergs Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
November 22nd, 2010 8:07am

The Domain controllers in my environment are all Windows 2008R2. The Supported Operating Systems include Windows 2000;Windows NT;Windows Server 2003. It doesn't list Win2k8.. Have you used this in a 2008 environment?William McConnell
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2010 10:00am

Paul, I checked the area that you mention on User acct lockout Troubleshooting. The Acct Lockout tool that it referes to doesnt list Win2k8 as a supported system, with the tool. The Domain controllers in my environment are all Windows 2008R2. The tool's notes state: The Supported Operating Systems include Windows 2000;Windows NT;Windows Server 2003. Have you used this in a 2008 environment? William McConnell
November 22nd, 2010 10:04am

Hi, As Paul suggested, we can use Account Lockout and Management Tools for troubleshooting. It can be used on Windows Server 2008 as well. Thanks for your inquiry. Regards, NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
November 23rd, 2010 9:55pm

Thank you to everyone who assisted me with this issue. The tools are helpful and I was able to re-create a failed login attempt and account lockout. Unfortunately, it took much longer than expected because the event ID's are different for Windows 2003 and Windows 2008.. Not sure if anyone who commented on this thread is aware of it because no one mentioned it in their reply.. So.. I was testing and still could not find the login failures (event id 529) or account lockout (event id 644) with the tools.. even though one of the tools (EventCombMT.exe) is setup to automatically scan for logon issues, (event id's 529 644 675 676 681) they couldn't find any login failures in my domain.. I was able to manually find the login failures in the event viewer and that is when I discovered that the event ID's have changed.. (The links that you sent me discuss Windows 2000 nad 2003) The new event id's for troubleshooting login failures in a Windows 2008 environtment can be found here http://www.windowsecurity.com/articles/Event-IDs-Windows-Server-2008-Vista-Revealed.html So, when I searched on (event id 4771) and account lockout (event id 4740) it worked..William McConnell
November 29th, 2010 1:21pm

Hi William, Glad to hear that the issue has been resolved. Thanks for your feedback and sharing. Best Regards, NinaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2010 8:53pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics