Re: Centralizing Account Lockout events (Event ID 539) to only DC's w/

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/05/04

• Next message: _at_discussions.microsoft.com: "problems with my password... HELPP!!"
• Previous message: Steven L Umbach: "Re: Corrupt file WINTRUST.DLL"
• In reply to: CFB: "Centralizing Account Lockout events (Event ID 539) to only DC's w/"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 05 Nov 2004 00:30:05 GMT

Make sure that you have auditing of account management enabled in Domain
Controller Security Policy. You should see events 644 and 642 recorded on
the pdc fsmo domain controller when an account is locked out. I have not
verified that for Windows 2003 but it is worth checking. The link below
shows that event ID 644 still exists on W2003 for account management
auditing.

http://www.microsoft.com/technet/security/guidance/secmod128.mspx

Otherwise you can use Event Comb to scan the security logs of multiple
computers for specific events and log them to a text file if that is
helpful. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
  -- Event Comb available here.

"CFB" <CFB@discussions.microsoft.com> wrote in message
news:E75E134C-C2E8-4AAA-A891-83452D27B03A@microsoft.com...
> I'm the NA for a bank and we use "Intrust for Events" to log and report
> our
> account lockouts (regulatory requirement). In the past, we've only polled
> our
> DC's for lockouts. We just migrated to 2003, and I've found the client now
> records the lockout and the DC doesn't seem to get a carbon copy of the
> lockout (539). In my reading, it appears 2003 treats lockouts differently
> and
> "offloads" the event recording to the client PC, whcih the client
> dutifully
> records, but not the DC.
>
> Does anyone know of a way to have all "domain" security events sent to one
> of the DC's? Even if the client could somehow CC the DC. It would be a
> real
> PITA to have to coordinate the capture of 200 client's security logs, and
> not
> to mention the cost of licensing for 197 PC's instead of 3 DC's.
>
> Any ideas would be greatly appreciated!!
>
> Thanks!!

• Next message: _at_discussions.microsoft.com: "problems with my password... HELPP!!"
• Previous message: Steven L Umbach: "Re: Corrupt file WINTRUST.DLL"
• In reply to: CFB: "Centralizing Account Lockout events (Event ID 539) to only DC's w/"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Event after Join ... If auditing of account management for success is enabled in Domain ... Controller Security policy you should see an event ID 645 in the security ... (microsoft.public.win2000.security) Re: Possible security issue??? ... auditing of account management was not enabled, so I enabled it in the domain ... so it accepting a blank username/password shouldn't have ... Also check in Domain Controller Security policy the user right for add ... (microsoft.public.win2000.security) Re: Adding Computers to the Domain ... You would already have had to have auditing of account management in place to find ... --- Steve ... >> In the Domain Controller Security Policy enable auditing on account ... (microsoft.public.win2000.security) Re: Domain admin users audit ... I don't receive any account management Event on Domain ... Controllers however i received all logon events, ... >Account Management auditing will cover the ... (microsoft.public.win2000.active_directory) Re: User get access denied error when prompted to change password adte Reset ... If you enable auditing of account management in the ... Domain Controller Security Policy, you may find useful info in the security ... make sure that the domain controllers do NOT have the ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint