This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 57.99999999999999%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESJ%3C/text%3E%3C/svg%3E)
I am trying to identify where a user account lockout keeps happening, by searching for the source in our DC's event logs -> Windows Logs -> Security, but I am not seeing any lock out events in our domain controller. I can see other successful logon/logoff events for all users, but nothing matching ID 4740 User Account Lockout. My hunch is that this is not enabled/being logged, and I was hoping to find the right GPO setting to enable this. Is it the GPO for Computer Policies -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy -> Audit User Account Management ? Or is there another one? Please help!!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Based on experience, you are right .
If you can't find any events about the account lockout , then we need to enable the audit policy on the Domain controllers under[Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management]
You can enable or disable it as your requirements.
According to the audit events on PDC determine which clients or DCs sent the failed authentication request. If the failed authentication request was sent by a DC, then we should gather the audit event on the DC. So we can find out which clients sent the BAD password.
After we get the workstations IP, then we need enable Audit Logon Events – Failure and Audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD passwod.
Best Regards,
Hi,
Just checking in to see if the information provided was helpful.
Please let us know if you would like further assistance.
Best Regards,
Hi,
Just checking in to see if the information provided was helpful.
If the reply helped you, please remember to mark it as an answer.
If no, please reply and tell us the current situation in order to provide further help
Best Regards,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 47%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJN%3C/text%3E%3C/svg%3E)
In the corresponding Group Policy Object (or Local policy if you configured auditing there)
If you use Advanced Audit Policy please check the following setting:
Even if Group Policy Object is configured correctly there might still be some conflicts that prevent GP from applying correctly.
To find out the effective audit policy on a DC, execute the following command auditpol /get /category:* In the output check that User Account Management is set to Success
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 31%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
Did you check all of the DC's? You can try and use this tool -> https://www.microsoft.com/en-us/download/details.aspx?id=15201 It queries all of the DC's on the network.