locked
DC's not auditing Locked account event ID 4740 RRS feed

  • Question

  • Hi All, 

    I have an issue where a particular account keeps locking and was trying to troubleshoot by looking at the security logs on our DC's using eventcombMT searching for 4740 ID's. I can't find any in the logs at all, even after deliberatly locking test accounts I cannot find any events returning 4740 only 4625 which aren't much help. 

    I'm beginning to think the DC's aren't logging this information, so looked a little further. 

    All the Audit settings are configured within the default Domain Controller GP which are being applied (checked by gpresult /H gp.htm report)

    I also checked with auditpol


    C:\Windows\system32>auditpol /get /category:*
    System audit policy
    Category/Subcategory                      Setting
    System
      Security System Extension               No Auditing
      System Integrity                        No Auditing
      IPsec Driver                            No Auditing
      Other System Events                     No Auditing
      Security State Change                   No Auditing
    Logon/Logoff
      Logon                                   Success and Fai
      Logoff                                  No Auditing
      Account Lockout                         Success and Fai
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           No Auditing
      Other Logon/Logoff Events               No Auditing
      Network Policy Server                   No Auditing
      User / Device Claims                    No Auditing
    Object Access
      File System                             No Auditing
      Registry                                No Auditing
      Kernel Object                           No Auditing
      SAM                                     No Auditing
      Certification Services                  No Auditing
      Application Generated                   No Auditing
      Handle Manipulation                     No Auditing
      File Share                              No Auditing
      Filtering Platform Packet Drop          No Auditing
      Filtering Platform Connection           No Auditing
      Other Object Access Events              No Auditing
      Detailed File Share                     No Auditing
      Removable Storage                       No Auditing
      Central Policy Staging                  No Auditing
    Privilege Use
      Non Sensitive Privilege Use             No Auditing
      Other Privilege Use Events              No Auditing
      Sensitive Privilege Use                 No Auditing
    Detailed Tracking
      Process Creation                        No Auditing
      Process Termination                     No Auditing
      DPAPI Activity                          No Auditing
      RPC Events                              No Auditing
    Policy Change
      Authentication Policy Change            No Auditing
      Authorization Policy Change             No Auditing
      MPSSVC Rule-Level Policy Change         No Auditing
      Filtering Platform Policy Change        No Auditing
      Other Policy Change Events              No Auditing
      Audit Policy Change                     No Auditing
    Account Management
      User Account Management                 No Auditing
      Computer Account Management             No Auditing
      Security Group Management               No Auditing
      Distribution Group Management           No Auditing
      Application Group Management            No Auditing
      Other Account Management Events         No Auditing
    DS Access
      Directory Service Changes               No Auditing
      Directory Service Replication           No Auditing
      Detailed Directory Service Replication  No Auditing
      Directory Service Access                No Auditing
    Account Logon
      Kerberos Service Ticket Operations      No Auditing
      Other Account Logon Events              No Auditing
      Kerberos Authentication Service         No Auditing
      Credential Validation                   No Auditing

    C:\Windows\system32>

    yet no events are being logged for 4740.

    Any ideas?

    Wednesday, July 2, 2014 6:37 AM

Answers

  • Ok, 

    I have resolved this myself after digging a little further:

    My environment is 2008r2 and above so the old legacy audit policies were doing peculiar things like not auditing. so in the Domain Controller GP I set these back to 'not defined':

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

    then started configuring Advanced Audit Policies instead:

    Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

    also ensure:

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. is set to enabled

    these then apply correctly as displayed by the command auditpol /get /category:*

    After testing and locking and account I'm not getting correct auditing, and seeing 4740 events. 

    Resources used to assist in my resolution:

    http://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx

    http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx


     


    • Marked as answer by CRpub86 Thursday, July 3, 2014 3:23 AM
    • Edited by CRpub86 Thursday, July 3, 2014 3:28 AM
    Thursday, July 3, 2014 3:23 AM

All replies

  • Hi,

    the actual lockout is only logged on the DC holding pdc emulator FSMO.

    To trace lockout issues, i would recommend the account lockout toolkit:

    http://www.microsoft.com/en-us/download/details.aspx?id=18465

    Also check on this nice blog:

    http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx


    MCP/MCSA/MCTS/MCITP

    Wednesday, July 2, 2014 12:18 PM
  • Hi thanks for responding, 

    The DC I'm querying the logs on is the PDC emulator FSMO, I've looked at the blog it's good, however doesn't help me as the problem is the DC is not logging 4740 events. I'm a bit lost on what to do. any takers?

    Thursday, July 3, 2014 12:44 AM
  • Ok, 

    I have resolved this myself after digging a little further:

    My environment is 2008r2 and above so the old legacy audit policies were doing peculiar things like not auditing. so in the Domain Controller GP I set these back to 'not defined':

    Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

    then started configuring Advanced Audit Policies instead:

    Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

    also ensure:

    Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. is set to enabled

    these then apply correctly as displayed by the command auditpol /get /category:*

    After testing and locking and account I'm not getting correct auditing, and seeing 4740 events. 

    Resources used to assist in my resolution:

    http://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx

    http://technet.microsoft.com/en-us/library/dd408940(v=ws.10).aspx


     


    • Marked as answer by CRpub86 Thursday, July 3, 2014 3:23 AM
    • Edited by CRpub86 Thursday, July 3, 2014 3:28 AM
    Thursday, July 3, 2014 3:23 AM
  • Hi,

    Thank you so much for your sharing!

    Your response is very beneficial to other people who have similar issues.

    Please feel free to let us know if there are any issues in the future.

    Have a nice day!

    Amy

    Friday, July 4, 2014 9:27 AM
  • Thank you, same thing for me :)

    Must use : Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration instead of Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

    Then activate : Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings


    Tuesday, September 26, 2017 9:37 AM