Why the process information is empty in audit policy tracking

Sidiki CAMARA 41 Reputation points
2021-03-03T17:19:08.71+00:00

Hello dear community,

I have enabled my DC to log 'audit process tracking ' in local policies: success and failure.
the goal is to identify the process locking out accounts.
i'm able to filter out events on 4625 but for some reasons the field 'caller process name' is empty.

can anyone suggest me a step to resolve this ?

PS: For test purpose, i typed wrong password many times on a web application portal that use AD accounts. The account gets locked but no process name. I even tried locking the account through shares in vain.

Thank you.

Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,305 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 12,921 Reputation points Microsoft Employee
    2021-03-04T03:23:15.057+00:00

    Hello anonymous user,

    Thank you for posting here.

    For troubleshoot account lockout, we can try the following steps.

    1.Create the first GPO and link it to one OU with all DCs.
    Legacy audit policy:
    Computer Configuration\Windows settings\security settings\local policies\audit policy
    Audit Account Logon Events – Failure
    Audit Account Management - Success and Failure

    Or use advanced audit policies (by default, once there is any advanced audit policy configured, advanced audit policies will overwrite Legacy audit policies, if you have not configured any advanced audit policy, you only need to configure Legacy audit policies):
    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
    Account Logon:
    Audit Kerberos Authentication Service - Failure
    Audit Credential Validation – Failure

    Account Management:
    Audit User Account Management – Success and Failure

    2.Create the second GPO and link it to one OU with the servers or clients that users logon (here the user accounts were locked out). You can also set it via local group policy if you have only one client for testing.

    Legacy audit policy:
    Computer Configuration\Windows settings\security settings\local policies\audit policy
    Audit Logon Events – Failure
    audit process tracking – Failure

    Or use advanced audit policies (by default, once there is any advanced audit policy configured, advanced audit policies will overwrite Legacy audit policies , if you have not configured any advanced audit policy, you only need to configure Legacy audit policies):
    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
    Logon/Logoff:
    Audit Account Lockout – Failure
    Audit Logon – Failure

    Detailed Tracking:
    Audit Process Creation – Failure
    Audit Process Termination – Failure

    3.We can run the following commands on the domain controllers and client to force the refresh policy and check whether the related audit policy settings are enabled:

    gpupdate /force
    auditpol /get /category:*

    If the account is locked out again or after you reproduce the account locked out issue, we can check the Event ID 4771 and event ID 4740 or Event ID 4776 and event ID 4740 on DC.

    We can check if there is Caller Computer Name information via Event ID 4740 on DC.

    We can check if there is Caller Computer Name information or Caller Process Name information via Event ID 4625 on user logon client.

    Hope the information above is helpful.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    No comments