General discussion

Locked

644 Event ID's not logged

By Eclipse860 ·
I have a Windows 2000 AD domain. I have auditing turned on for...

Audit Account Logon Events - Success and Failure
Audit Account Management - Success and Failure
This is on the Domain Controllers OU.

The security logs on my DC's are logging 681, 676, 675

It is NOT logging any 644 event ID's for account lockouts. I have checked the security logs on all my DC's. Anyone know why they might not be logged and how to fix it?

This conversation is currently closed to new comments.

5 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by BFilmFan In reply to 644 Event ID's not logged

You should see that event on the domain controller the user is authenticating to, if the account is locked out.


Microsoft has a pretty fair tool for troubleshooting those issues. There is an article here explaining the tool:
http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html

Collapse -

by Eclipse860 In reply to

Thanks for the link BFilmFan. I have used those tools, they are excellent. Unfortunatly, they did tell me what server locked out the accounts but not why the 644's were being logged. It turned out being the logging options on the Security log. I had to increase the storage size. I was getting some events but only if the log wasnt already full. So all the testing I did was not getting logged. I have since tweaked the settings and now everyhting is being logged including the 644's.

Collapse -

by Eclipse860 In reply to 644 Event ID's not logged

Point value changed by question poster.

Collapse -

by razz2 In reply to 644 Event ID's not logged

You mention that you have auditing turned on, but... OK I have
to ask...have you implemented the needed account policies such
as Account Lockout Threshold?

Also, I love BFilmFan's link. How did I miss those tools. Thanks.

Good Luck,

razz

Collapse -

by Eclipse860 In reply to

Sorry, I thought I had replied to everyone on this. I guess I need to choose an option to "Rate this Answer" sorry. Anyway, I do have all auditing options turned on. The problem turned out to be my Security log was hitting its max every day so the additional testing I was doing was not being logged. I changed the logging options and everything works now.

Back to Windows Forum
5 total posts (Page 1 of 1)  

Related Discussions

Related Forums