Event log for disabled account

Discussion:

(too old to reply)

Troy Tate

2004-07-29 18:49:01 UTC

When an account is disabled or locked out due to too many attempts
with an incorrect password, is this logged to any event log (WinNT4)?
I have tested locking an account and do not see any events being
logged. I would like to use some paging software to notify me in
advance that a user account is locked out prior to being called by the
user.

Thanks for your assistance.

Roger Abell

2004-07-30 14:38:23 UTC

Permalink

Yes, account lockout can be audited if you have the
audit policy set to log the logon events. You will find
the records at the machine where the authentication was
processed. For example, you may need to check the
logs of all domain controllers using a tool such as
EventCombMT released by MS
--
Roger Abell
Microsoft MVP (Windows Server System: Security)
MCSE (W2k3,W2k,Nt4) MCDBA

Post by Troy Tate
When an account is disabled or locked out due to too many attempts
with an incorrect password, is this logged to any event log (WinNT4)?
I have tested locking an account and do not see any events being
logged. I would like to use some paging software to notify me in
advance that a user account is locked out prior to being called by the
user.
Thanks for your assistance.

Troy Tate

2004-07-30 14:57:23 UTC

Permalink

This is on the PDC and it is processing the authentication. So, I
would expect the event to be logged on this server.

Post by Roger Abell
Yes, account lockout can be audited if you have the
audit policy set to log the logon events. You will find
the records at the machine where the authentication was
processed. For example, you may need to check the
logs of all domain controllers using a tool such as
EventCombMT released by MS