You must have Audit Process Creation auditing enabled to see event ID
Step 2: Find the Domain Controller with the PDC Emulator Role
If you have a single domain controller (shame on you) then you can skip to thenext step…hopefully you have at least two DCs.The DC with the PDC emulator role will record every account lockout with anevent ID of 4740.To find the DC that has the PDCEmulator role run this PowerShell command get-addomain | select PDCEmulator
Method 2: Using the User Unlock GUI Tool to Find the Source of Account
LockoutsI created this tool to make it super easy for any staff member to unlockaccounts, reset passwords and find the source of account lockouts.Just like PowerShell this tool requires the auditing be turned on for AccountManagement. See steps above for enabling these audit logs.1. Open the User Unlock Tool2. Click the Search Button, then click more detailsThat is all there is to it.You will now see a list of times the account was locked out and the sourcecomputer.In addition you can unlock the account and reset the password all from onetool. The tool will display all locked accounts, you can select a singleaccount or multiple accounts to unlock.The user unlock tool is included in my AD Pro Toolkit bundle, this is a bundleof 10 tools to help simplify and automate routine AD tasks.I hope you found this article useful. If you have questions or comments let meknow by posting a comment below.Recommended Tool: SolarWinds Server & Application MonitorThis utility was designed to Monitor Active Directory and other criticalservices like DNS & DHCP. It will quickly spot domain controller issues,prevent replication failures, track failed logon attempts and much more.What I like best about SAM is it’s easy to use dashboard and alertingfeatures. It also has the ability to monitor virtual machines and storage.Download Your Free Trial HereCommand line process auditing
You must have Audit Process Creation auditing enabled to see event ID
4688.To enable the Audit Process Creation policy, edit the following group policy:Policy location: Computer Configuration > Policies > Windows Settings >Security Settings > Advanced Audit Configuration > Detailed TrackingPolicy Name: Audit Process CreationSupported on: Windows 7 and aboveDescription/Help:This security policy setting determines whether the operating system generatesaudit events when a process is created (starts) and the name of the program oruser that created it.These audit events can help you understand how a computer is being used and totrack user activity.Event volume: Low to medium, depending on system usageDefault: Not configured
To ensure that Advanced Audit Policy Configuration settings are not
overwritten 1. Open the Group Policy Management console 2. Right-click Default Domain Policy, and then click Edit. 3. Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings. 4. Double-click Security Settings, double-click Local Policies, and then click Security Options. 5. Double-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then click Define this policy setting. 6. Click Enabled, and then click OK.
Try This: Explore command line process auditing
1. Enable Audit Process Creation events and ensure the Advance Audit Policy configuration is not overwritten 2. Create a script that will generate some events of interest and execute the script. Observe the events. The script used to generate the event in the lesson looked like this: mkdir c:systemfilestempcommandandcontrolzonefifthward copy 18.104.22.168c$hidden c:systemfilestemphiddencommandandcontrolzonefifthward start C:systemfilestemphiddencommandandcontrolzonefifthwardntuserrights.vbs del c:systemfilestemp*.* /Q 3. Enable the command line process auditing 4. Execute the same script as before and observe the eventsConfiguring Audit Policy in Windows Server 2016In this article, I’m going to show you the way of configuring audit policy onWindows server 2016. As in our previous topics, we have told you how toconfigure lockout policy and as well as configuring password policy on Windowsserver 2016. Configuring audit policy can be applied to Microsoft Windowsserver 2003, Windows server 2008, server 2012 and Windows 10 operating systemwith its previous versions.
What is Audit Policy?
Whenever you configure audit policy in Windows server or any client. Thispolicy will allow or help you to get information about who logged into yourcomputer? When he or she logged in or from where that user logged in. And aswell as give you information about any kinds of event that happen on thatcomputer. By configuring audit policy, you can get all this information. Toget known about these events, go to the event section then take all the info.Now, we’re going to explain the following policies.
1. Audit Account Logon Events
This security setting determines whether the OS audits each time this computervalidates an account’s credentials.Account logon events are generated whenever a computer validates thecredentials of an account for which it is authoritative. Domain members andnon-domain-joined machines are authoritative for their local accounts; domaincontrollers are all authoritative for accounts in the domain. Credentialvalidation may be in support of a local login, or, in the case of an ActiveDirectory domain account on a domain controller, may be in support of a loginto another computer. Credential validation is stateless so there is nocorresponding logoff event for account login events.Audit Account Logon EventsIf this policy setting is defined, the administrator can specify whether toaudit only successes, only failures, both successes and failures or to notaudit these events at all.
2. Audit Account Management
This security setting determines whether to audit each event of accountmanagement on a computer. Examples of account management events include: * A user account or group is created, changed, or deleted. * A user account is renamed, disabled, or enabled. * A password is set or changed.If you define this policy setting, you can specify whether to audit successes,audit failures or not audit the event type at all. Success audits generate anaudit entry when any account management event succeeds. Failure auditsgenerate an audit entry when any account management event fails. To set thisvalue to No auditing, in the Properties dialog box for this policy setting,select the Define these policy settings check box and clear the Success andFailure check boxes.Audit Account Management
4. Audit Logon Events
This security setting determines whether the OS audits each instance of a userattempting to log on to or to log off to this computer. Logoff events aregenerated whenever a logged on user account’s login session is terminated. Ifthis policy setting is defined, the administrator can specify whether to auditonly successes, only failures, both successes and failures, or to not auditthese events at all.Audit Logon Events
6. Audit Policy Change
This security setting determines whether the OS audits each instance ofattempts to change user rights assignment policy, audit policy, accountpolicy, or trust policy. The administrator can specify whether to audit onlysuccesses, only failures, both successes and failures, or to not audit theseevents at all (i.e. neither successes nor failures).If Success auditing is enabled, an audit entry is generated when an attemptedchange to user rights assignment policy, audit policy, or trust policy issuccessful.Audit Policy ChangeIf Failure auditing is enabled, an audit entry is generated when an attemptedchange to user rights assignment policy, audit policy, or trust policy isattempted by an account that is not authorized to make the requested policychange.
8. Audit Process Tracking
This security setting determines whether the OS audits process-related eventssuch as process creation, process termination, handle duplication, andindirect object access. If this policy setting is defined, the administratorcan specify whether to audit only successes, only failures, both successes andfailures, or to not audit these events at all.Audit Process TrackingIf Success auditing is enabled, an audit entry is generated each time the OSperforms one of these process-related activities. If Failure auditing isenabled, an audit entry is generated each time the OS fails to perform one ofthese activities.
9. Audit System Events
This security setting determines whether the OS audits any of the followingevents: * Attempted system time change * Attempted security system startup or shutdown * Attempt to load extensible authentication components * Loss of audited events due to auditing system failure * Security log size exceeding a configurable warning threshold level.If this policy setting is defined, the administrator can specify whether toaudit only successes, only failures, both successes and failures, or to notaudit these events at all (i.e. neither successes nor failures).Audit System EventsIf Success auditing is enabled, an audit entry is generated each time the OSperforms one of these activities successfully. If Failure auditing is enabled,an audit entry is generated each time the OS attempts and fails to perform oneof these activities.