We have a account lockout rule configured to look for Event ID 4740. We also have a subscription setup for this rule to e-mail our helpdesk.

We would like to tweak the rule/subscription to prevent notification when two domain controllers register the lockout at the same time. Currently, our helpdesk is receiving e-mails for the same lockout from two domain controllers, about 50% of the time.

The alerts are mostly identical except for the Source and Account Name fields which contain the domain controller name.

We cannot filter to a single domain controller because we may miss an account lockout that registers on a filtered DC.

Any assistance is appreciated.

• Edited by JWise1203 19 hours 38 minutes ago

This might be doable, but you would have to identify the parameter that stores the USER ID/ACCOUNT name.  If that is not a parameter (using logparser tool to find out), then you are basically hosed.

If the description can be parsed, and user id/account is a particular parameter, then you can do alert consolidation based on the event source and user id (parameter).