Hello anonymous user,
Thank you for posting here.
For troubleshoot account lockout, we can try the following steps.
1.Create the first GPO and link it to one OU with all DCs.
Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Account Logon Events – Failure
Audit Account Management - Success and Failure
Or use advanced audit policies (by default, once there is any advanced audit policy configured, advanced audit policies will overwrite Legacy audit policies, if you have not configured any advanced audit policy, you only need to configure Legacy audit policies):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
Account Logon:
Audit Kerberos Authentication Service - Failure
Audit Credential Validation – Failure
Account Management:
Audit User Account Management – Success and Failure
2.Create the second GPO and link it to one OU with the servers or clients that users logon (here the user accounts were locked out). You can also set it via local group policy if you have only one client for testing.
Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Logon Events – Failure
audit process tracking – Failure
Or use advanced audit policies (by default, once there is any advanced audit policy configured, advanced audit policies will overwrite Legacy audit policies , if you have not configured any advanced audit policy, you only need to configure Legacy audit policies):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
Logon/Logoff:
Audit Account Lockout – Failure
Audit Logon – Failure
Detailed Tracking:
Audit Process Creation – Failure
Audit Process Termination – Failure
3.We can run the following commands on the domain controllers and client to force the refresh policy and check whether the related audit policy settings are enabled:
gpupdate /force
auditpol /get /category:*
If the account is locked out again or after you reproduce the account locked out issue, we can check the Event ID 4771 and event ID 4740 or Event ID 4776 and event ID 4740 on DC.
We can check if there is Caller Computer Name information via Event ID 4740 on DC.
We can check if there is Caller Computer Name information or Caller Process Name information via Event ID 4625 on user logon client.
Hope the information above is helpful.
Should you have any question or concern, please feel free to let us know.
Best Regards,
Daisy Zhou