The account lockout source can be identified, by enabling
NetLogon Logging is enabled in the Primary Domain Controller(PDC).It is used to capture NetLogon and NTLM events.
Using NetLogon Logging ,we can extract the following information:
In order to effectively troubleshoot the account lockout scenario, we have to enable domain level auditing for certain specific events such as ,
| Audit Settings | Events |
|---|---|
| Account Logon Events | Failure |
| Account Management | Success |
| Logon Events | Failure |
After enabling auditing, account lockout events will be created in the security log for each invalid logon attempt(logon failure) and account lockout.Each specific events are tagged with the specific event id,so that it reduces the burden in analyzing and solving the account lockout issues. Some of the account lockout event ids bearing the account lockout source information are 529, 644, 675, 676, and 681(Windows Server 2003).
If account lockouts involve Kerberos clients , then you can enable Kerberos logging on those client computers. Once Kerberos logging is enabled, certain events will be logged when an user account invokes invalid login attempt by providing incorrect password, and during account lockout.
Incorrect Password: This event is logged when an incorrect password is provided by an user in a Kerberos client,during the authentication request.
Account Lockout: This event is logged when an user account is locked out in a Kerberos authentication enabled client system.