Friday 3 June 2016

Identifying account lockouts with Windows Event Log

GPMC >> Default Domain Controllers Policy >> Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Audit Policy and ensure the following are set:

Account Logon Events – Failure
Account Management – Success
Logon Events – Failure

You should look out for event ID 644 (which will appear as a Success event) on the DC with the PDC emulator.


Post a Comment