locked
event viewer system log RRS feed

  • Question

  • Hello:

    I am to review our log file to make sure the when a user account is locked out that the appropriate event id is created and so should the appropriate event ID is created for when a user is unlocked. I have noticed that this logic is not "correct", i guess. example: I had a user who was locked out seven (7) different times in one day. There were 7 event IDs for that one person, but there were only 3 event IDs showing that the user was unlocked.

    Shouldn't the # of lock outs = the # of unlocks? Am I missing something, I'm thinking that there should be an "event ID" recorded in the system log for each "transaction".

    I thought that this might happen if we had setup the accounts to auto unlock after so many minutes, but we do not turn that on. The users have to call myself to get unlocked.

    Thursday, February 10, 2011 8:48 PM

Answers

  • In my test, the after the test account locked, when I tried to logon on again, on client side I will get the error like "account is locked", and in Event Viewer, one more log is generate (and it is the same as the logs created before the account is locked).

    So yes it will generate another account locked event id even the account is locked out.


    Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
    • Marked as answer by Miller-IT Tuesday, February 22, 2011 5:37 PM
    Friday, February 18, 2011 6:46 AM

All replies

  • I tried to set an "Account lockout threshold" group policy to do the test.

    The event log I got is the same before and after user account is locked when user trying to logon:

    Event ID 4771

    Kerberos pre-authentication failed

    Keywords: Audit Failure

    Thus I would like to know if this is the cause of the issue.

     


    Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
    Friday, February 11, 2011 9:28 AM
  • sorry, but what am I missing. I don't see how this relates to my issue? If it does, could you please explain you thought process a little more.

    Thanks,

    Friday, February 11, 2011 4:31 PM
  • Sorry if I did not explain clearly.

    I mean in my test, the log created in Event Viewer is the same before and after the user account is locked. Thus, I would like to confirm if actually the user account is locked twice, but as the user keep trying to logon, there are more than 2 logs (in this case it is 7 times) logged in Event Viewer.

    If that is not the case please accept my apology.


    Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
    Wednesday, February 16, 2011 3:09 PM
  • Sorry, i had to re-read your response like 6 times before i got what you were saying.

    What you are asking to confirm " I would like to confirm if actually the user account is locked twice, but as the user keep trying to logon, there are more than 2 logs (in this case it is 7 times) logged in Event Viewer."; i believe is what i am asking.

    If a user is already locked out and they keep trying will it generate another "account locked" event id in the system log. Or is it a 1 to 1 ratio; such as if a user is locked out it will not generate another "account locked" event id until it is unlocked by an administrator?

    My thinking is that it is a 1 to 1 ratio. for every "account locked" event id there should be an "account unlocked" event id.

    Thursday, February 17, 2011 11:26 PM
  • In my test, the after the test account locked, when I tried to logon on again, on client side I will get the error like "account is locked", and in Event Viewer, one more log is generate (and it is the same as the logs created before the account is locked).

    So yes it will generate another account locked event id even the account is locked out.


    Shaon Shan |TechNet Subscriber Support in forum |If you have any feedback on our support, please contact tngfb@microsoft.com
    • Marked as answer by Miller-IT Tuesday, February 22, 2011 5:37 PM
    Friday, February 18, 2011 6:46 AM
  • Thanks for the help.

    Miller-it

    Tuesday, February 22, 2011 5:37 PM