AD - Lockout events on domain controller

About lockout users here they are Security AD Events:

- 4625 and 4771 on Windows 2008 

- 529 on Windows 200X.

- 4740 If you have more than an account that usually lockout to better investigate this kind of problem you can have this information from the Security Log of your Domain Controller. If you have more than 1 DC, you can check each of your DC for Event ID 4740 (it's an information). In this Event Log, you will have the computer name of the logon request.

- See event ID 4767 for account unlocked.

You can use this eventviewer filter on each dcs:




Account Lockout and Management Tools




Netwrix Account Lockout Examiner Freeware Edition


About Exchange IIS logs repository (in case you suspect owa/activeSync/Rpc over http lockout problems) you must examine

C:\inetpub\logs\LogFiles\W3SVC1 8.26.20 Apple-iPhone8C2

RPC over HTTP 

C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access


CAS:
%ExchangeInstallPath%Logging\HttpProxy\Mapi\HTTP
Mailbox:
%ExchangeInstallPath%Logging\MAPI Client Access\
Mailbox:
%ExchangeInstallPath%Logging\MAPI Address Book Service\

About other blogs articles:



720check