Auditing Account Lockouts

[nevets2001uk]

For a while now we've been auditing failed login attempts on our Domain Controllers but recently were asked about recorded lockouts of accounts.

I found that by enabling the success audit for the Audit Account Management setting we were able to ensure that future lockouts get recorded as 644 events in the event log, however this also induces many other events to be recorded, such as every time we ammend a group membership etc.

Is there a way to force to recording of account lockouts in the event log (or any other log) but to avoid recording all of the other success events?

Steve G (MCSE / MCSA:Messaging)

 

[wallst32]

I don't believe you can restrict account management auditing to individual events with the event logging service, but there are some free filtering tools available. You can easily generate a report that filters for the event you're looking for.

Search for elogdmp.exe, dumpel.exe, or Event Comb.

All of these tools were parts of various Microsoft Resource Kits; I don't recall the exact years though.

If this is a big enough concern for your company there are several 3rd party utilties that offer a lot more than the basic filtering the reskit tools can provide.