Dear All,
I need your guidance for the following issue which I am facing.
I have 2 domain controllers to authenticate user login only. The account lockout policy set to lock accounts after 5 login attempts.
Logs are sent from the workstations (90 ) and the domain controllers (2) to RSA envision.
The parameters in the RSA Envision are 1) Windows - Account Locked Out 2) Windows - Failed Logons in AE Domain 3)Windows - Account Changes Details (Create , Delete , Modify)
Issue / Problem:
The reports generated from the RSA Envision for # 2 Windows - Failed Logons in AE Domain has the following
1) Windows - Failed Logons in AE Domain ---Unsuccessful Login attempts----EventTime :9/2/2015 20:20 ; UserName : chandy ; Count of Messages : 18
EventTime :9/2/2015 20:23 ; UserName : chandy ; Count of Messages : 11
EventTime :9/2/2015 20:08 ; UserName : chandy ; Count of Messages : 11
EventTime : 6/2/2015 21:11 ; UserName : ruby ; Count of Messages : 10
EventTime :9/2/2015 20:07 ; UserName : chandy ; Count of Messages : 10
EventTime : 10/2/2015 5:37 ; UserName : dadhi ; Count of Messages : 10
EventTime :9/2/2015 20:15 ; UserName : chandy ; Count of Messages : 9
EventTime : 10/2/2015 5:40 ; UserName : dadhi ; Count of Messages : 8
EventTime :9/2/2015 10:54 ; UserName :roomi ; Count of Messages : 7
Seek your advice
1) what does count of messages mean?
2) If the count of messages is presumed to be failed login attempts they are not getting locked out
3) Is something wrong in the RSA Envision log server or the Domain controller
4) See this trend when a person changes password after expiry