Re: Account Unlock event not written to the eventlog

From: Eric Fitzgerald [MSFT] (ericf@online.microsoft.com)
Date: 12/31/02

• Next message: Eric Fitzgerald [MSFT]: "Re: Security Event ID: 627, 560"
• Previous message: Karl Levinson [x y] mvp: "Re: IPSEC Filter"
• In reply to: Aaron Lister: "Account Unlock event not written to the eventlog"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com>
Date: Tue, 31 Dec 2002 13:30:15 -0800

Auto-unlock does not generate an event, because no change happens to the
account. When the account is locked, the DC sets a lockouttime timestamp on
the account to say when it is allowed to log back on. When someone uses the
account, the DC checks the timestamp- if it is 0 or in the past, the account
may be used. If it is in the future, the DC returns the error that the
account is locked.

-- 
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
"Aaron Lister" <alister@ems-global.com> wrote in message
news:OugcNTtqCHA.1636@TK2MSFTNGP12...
> Auditing is turned on for:
>     Audit Account Logon Events
>     Audit Account Management
>     Audit Logon Events
>
> Account Lockout Policy is set to the following:
>     Account Lockout Duration    =    30 mins
>     Account Lockout Threshold    =    3 invalid attempts
>     Reset Account Lockout Counter after =    30 mins
>
> All account lockouts appear in the event log, but only accounts that were
> unlocked manually (by an administrator) are logged to the event log.
> If the Account lockout duration rule fires to unlock an account, there is
no
> entry in the event log for this unlock.
>
> Does anyone know why this is so, and how I can capture these unlocks?
>
> Regards
> Aaron
>
>
>
>
>
>

• Next message: Eric Fitzgerald [MSFT]: "Re: Security Event ID: 627, 560"
• Previous message: Karl Levinson [x y] mvp: "Re: IPSEC Filter"
• In reply to: Aaron Lister: "Account Unlock event not written to the eventlog"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Finding Domain Service Running Every 12 Hours ... The Audit Policy was already in effect, we use a network log collection tool ... Not Locked - which is what I would expect for a Domain Admin account. ... When the account lockout occurs, we can retrieve both the Security ... event log and the System event log for all of the computers that are ... (microsoft.public.windows.server.general) Re: Account lockouts ... for reusable passwords and the AAA infrastructures that rely upon them? ... In that context, account lockout policy -- duration, threshold, lockout ... > cracking attacks. ... (microsoft.public.security) Re: User accounts are being locked out ... Password Policy and Account Lockout Policy are both domain-wide policies, ... machineA and machineB. ... download updated signature files located on a network share. ... (microsoft.public.windows.server.general) Re: User accounts are being locked out ... There are about 95 PCs in the network and we have physically disconnected all ... > Password Policy and Account Lockout Policy are both domain-wide policies, ... > machineA and machineB. ... > Increased Account Lockout Frequency in Windows 2000 Domain: ... (microsoft.public.windows.server.general) RE: Account Lockout -- ARGH ... In our case it was SMS 2.0 causing ... Subject: Account Lockout -- ARGH ... All security events are logged. ... (Focus-Microsoft)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint