Direct Inward Dialing: +1 408 916 9892
Windows lets you set an account lockout threshold to define the number of times a user can attempt to log on with an invalid password before their account is locked. You can also define the amount of time an account stays locked out with the account lockout duration setting. These account lockout policies help defend your network against password guessing attempts and potential brute-force attacks. However, strict policies could mean that users have fewer attempts to recall passwords, leading them to get locked out of their accounts more often.
Windows generates two types of events related to account lockouts. Event ID 4740 is generated on domain controllers, Windows servers, and workstations every time an account gets locked out. Event ID 4767 is generated every time an account is unlocked. In this guide, we're going to focus on event ID 4740.
Event ID 4740 - Event properties
Event ID 4740 - Details tab
Let's break this event's properties down by Subject, Account That Was Locked Out, and Additional Information, as shown on the General tab (Fig. 1).
Security ID: The SID of the account that performed the lockout operation.
Account Name: The name of the account that performed the lockout operation.
Account Domain: The domain or computer name. Formats could vary to include the NETBIOS name, the lowercase full domain name, or the uppercase full domain name.
For well-known security principals this field is "NT AUTHORITY," and for local user accounts this field will contain the computer name that this account belongs to.
Logon ID: The logon ID helps you correlate this event with recent events that might contain the same logon ID (e.g. event ID 4625).
Security ID: The SID of the account that was locked out. Windows tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
Account Name: The name of the account that was locked out.
Caller Computer Name: The name of the computer account (e.g. JOHN-WS12R2) from which the logon attempt was generated.
Although you can attach a task to the security log and ask Windows to send you an email, you are limited to getting an email when event ID 4740 is generated, and Windows lacks the ability to apply more granular filters.
With a tool like ADAudit Plus, not only can you apply granular filters to focus on real threats, you can get notified in real time via SMS, too.
Leverage advanced statistical analysis and machine learning techniques to detect anomalous behavior within your network.
Meet various compliance standards, such as SOX, HIPAA, PCI, FISMA, GLBA, and the GDPR, with out-of-the-box compliance reports.
Go from downloading ADAudit Plus to receiving real-time alerts in less than 30 minutes. With over 200 preconfigured reports and alerts, ADAudit Plus ensures that your Active Directory stays secure and compliant.
Click this link to access the guide.
