KBI 311152 How To Check If A Domain User Is Locked Out

Version

Argent Advanced Technology all versions

Date

Wednesday, 14 Jan 2015

Summary

Steps to configure a Rule in Argent for Compliance to check if the specified domain user is locked out

Technical Background

User accounts may get locked out due to invalid login attempts or any other reasons

A Rule can be configured in Argent for Compliance to check if the specified user is locked out

Steps To Configure The Rule

  1. Create a new Rule EVT_SECURITY_LOG_ACCOUNT_LOCKOUT in Argent for Compliance under:
    General Best Practices -> Server Log Rules -> Windows Event Log Rules -> Security
  2. Select the ‘Security Log’ option in the Event Log section
  3. Select the ‘Audit Success’ option in the Event Severity section



    4. Click For Full Size
  4. Set the Rule breaking criteria by specifying the Event ID equal to 4740



    5. Click For Full Size
  5. Add another criteria by specifying the Event Text with the domain account to be checked, as shown in the below screenshot



Click For Full Size

Once configured, the screen looks as below:




Click For Full Size

The Rule checks the Event Viewer detailed description and breaks if the specified domain user account (eg. John) is locked out

Resolution

N/A