none
No EventID 4670 for account lockout? RRS feed

  • Question

  • I am having a real problem getting EventID 4670 to show up in the Security log when an account is locked out. My DCs are 2012 (not R2), domain and forest level are at 2012. I received these events without issue when the DCs were 2008 R2. The upgrade of the DCs consisted of demoting the DC, removing from domain, clean install 2012, and promote.

    I have modified the Default Domain Controller Policy GPO to have "Computer/Windows Settings/Security Settings/Local Policies/Audit Policy" Audit account logon events, Audit account management, Audit directory service access, and Audit logon events are all set to "Success, Failure". Still no 4670 events.

    I also set "Computer/Windows Settings/Advanced Audit Policy Configuration/Logon/Logoff" Audit Account Lockout to "Success and Failure". Still no 4670 events.

    I also performed using ADUC, Domain, Properties, Security, Advanced, Auditing, and adding "Everyone", type "All", applies to "This object and all descendant objects", and gave essentially all except for full control. Still no 4670 events.

    Am I missing something, or have I gone about this all wrong?


    -Richard

    Friday, May 2, 2014 11:35 PM

Answers

  • Okay, so here is what I have come up with. The event ID is no longer 4670, but now 4740. I enabled it by changing the "Default Domain Controller Policy" Computer Configuration\Policies\Windows Settings\Advanced Audit POlcy Configuration\Account Management\Audit User Account Management. I don't know why this was so hard to find, but there it is.

    -Richard

    Thursday, May 8, 2014 4:17 PM

All replies

  • Have you followed the procedure described for example here (?)

    http://www.morgantechspace.com/2013/11/Event-ID-4740-A-user-account-was-locked-out.html

    Remember GPO timing or forcing the GPO with gpupdate with parameter force.

    Regards

    Milos


    Saturday, May 3, 2014 6:22 AM
  • Hello,

    Have you checked for 4740 events in PDC emulator? This is the procedure I take when I face account lockout problems.

    Regards.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Saturday, May 3, 2014 7:13 AM
    Moderator
  • Yes, I followed the steps to enable to 4670 event ID, but it is not appearing, even though I am triggering a lockout for a test user account. In fact, I am not getting any reporting for that user account when using an invalid password.

    -Richard

    Saturday, May 3, 2014 5:20 PM
  • Yes, and there are no events.

    -Richard

    Saturday, May 3, 2014 5:21 PM
  • You should check for 4740 events. Enable Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management via GPO and check for events. It is not logged by default.

    Regards.


    Mahdi Tehrani   |     |   www.mahditehrani.ir
    Please click on Propose As Answer or to mark this post as and helpful for other people.
    This posting is provided AS-IS with no warranties, and confers no rights.

    Sunday, May 4, 2014 6:26 AM
    Moderator
  • Hi,

    The event 4670:Permissions on an object were changed.

    I think you need to set the Audit Other Policy Change Events policy to check the result.

    Meanwhile, please refer to this articles:

    Audit Other Policy Change Events

    http://technet.microsoft.com/en-us/library/dn311459.aspx

    Advanced Security Audit Policy Settings

    http://technet.microsoft.com/en-us/library/dn319056.aspx

    Hope this helps.

    If you have any feedback on our support, please click here


    Vivian Wang


    Tuesday, May 6, 2014 2:42 AM
    Moderator
  • Hi,

    Please feel free to let us know if you have any update.

    Regards.


    Vivian Wang

    Thursday, May 8, 2014 7:24 AM
    Moderator
  • @Mahdi, my original message indicated that I already had set the audit account management policy settings.

    @Vivian, I suspect that your suggestion is correct, but it is not clear to me which of the advanced settings is necessary. Even the TechNet articles you pointed to don't seem to clear it up for me, but perhaps I just haven't read clearly enough. I already have the Logon/Logff, Audit Account Lockout set to Success & Failure, but still now lockout events...


    -Richard

    Thursday, May 8, 2014 3:26 PM
  • Okay, so here is what I have come up with. The event ID is no longer 4670, but now 4740. I enabled it by changing the "Default Domain Controller Policy" Computer Configuration\Policies\Windows Settings\Advanced Audit POlcy Configuration\Account Management\Audit User Account Management. I don't know why this was so hard to find, but there it is.

    -Richard

    Thursday, May 8, 2014 4:17 PM