Answered by:
No EventID 4670 for account lockout?
Question
-
I am having a real problem getting EventID 4670 to show up in the Security log when an account is locked out. My DCs are 2012 (not R2), domain and forest level are at 2012. I received these events without issue when the DCs were 2008 R2. The upgrade of the DCs consisted of demoting the DC, removing from domain, clean install 2012, and promote.
I have modified the Default Domain Controller Policy GPO to have "Computer/Windows Settings/Security Settings/Local Policies/Audit Policy" Audit account logon events, Audit account management, Audit directory service access, and Audit logon events are all set to "Success, Failure". Still no 4670 events.
I also set "Computer/Windows Settings/Advanced Audit Policy Configuration/Logon/Logoff" Audit Account Lockout to "Success and Failure". Still no 4670 events.
I also performed using ADUC, Domain, Properties, Security, Advanced, Auditing, and adding "Everyone", type "All", applies to "This object and all descendant objects", and gave essentially all except for full control. Still no 4670 events.
Am I missing something, or have I gone about this all wrong?
-Richard
Answers
-
Okay, so here is what I have come up with. The event ID is no longer 4670, but now 4740. I enabled it by changing the "Default Domain Controller Policy" Computer Configuration\Policies\Windows Settings\Advanced Audit POlcy Configuration\Account Management\Audit User Account Management. I don't know why this was so hard to find, but there it is.
-Richard
- Marked as answer by Vivian_WangModerator Tuesday, May 13, 2014 8:41 AM
All replies
-
Have you followed the procedure described for example here (?)
http://www.morgantechspace.com/2013/11/Event-ID-4740-A-user-account-was-locked-out.html
Remember GPO timing or forcing the GPO with gpupdate with parameter force.
Regards
- Edited by Milos Puchta Saturday, May 3, 2014 6:23 AM
-
Hello,
Have you checked for 4740 events in PDC emulator? This is the procedure I take when I face account lockout problems.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer orto mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights. -
-
-
You should check for 4740 events. Enable Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management via GPO and check for events. It is not logged by default.
Regards.
Mahdi Tehrani |
|
www.mahditehrani.ir
Please click on Propose As Answer orto mark this post as
and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights. -
Hi,
The event 4670:Permissions on an object were changed.
I think you need to set the Audit Other Policy Change Events policy to check the result.
Meanwhile, please refer to this articles:
Audit Other Policy Change Events
http://technet.microsoft.com/en-us/library/dn311459.aspx
Advanced Security Audit Policy Settings
http://technet.microsoft.com/en-us/library/dn319056.aspx
Hope this helps.
If you have any feedback on our support, please click here
Vivian Wang
- Edited by Vivian_WangModerator Tuesday, May 6, 2014 2:43 AM
-
-
@Mahdi, my original message indicated that I already had set the audit account management policy settings.
@Vivian, I suspect that your suggestion is correct, but it is not clear to me which of the advanced settings is necessary. Even the TechNet articles you pointed to don't seem to clear it up for me, but perhaps I just haven't read clearly enough. I already have the Logon/Logff, Audit Account Lockout set to Success & Failure, but still now lockout events...
-Richard
-
Okay, so here is what I have come up with. The event ID is no longer 4670, but now 4740. I enabled it by changing the "Default Domain Controller Policy" Computer Configuration\Policies\Windows Settings\Advanced Audit POlcy Configuration\Account Management\Audit User Account Management. I don't know why this was so hard to find, but there it is.
-Richard
- Marked as answer by Vivian_WangModerator Tuesday, May 13, 2014 8:41 AM