Audit Account Lockout

Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.

If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out.

Account lockout events are essential for understanding user activity and detecting potential attacks.

Event volume: Low.

This subcategory failure logon attempts, when account was already locked out.

Computer Type	General Success	General Failure	Stronger Success	Stronger Failure	Comments
Domain Controller	No	Yes	No	Yes	We recommend tracking account lockouts, especially for high value ___domain or for local accounts (database administrators, built-in local administrator account, ___domain administrators, service accounts, ___domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory.
Member Server	No	Yes	No	Yes	We recommend tracking account lockouts, especially for high value ___domain or for local accounts (database administrators, built-in local administrator account, ___domain administrators, service accounts, ___domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory.
Workstation	No	Yes	No	Yes	We recommend tracking account lockouts, especially for high value ___domain or for local accounts (database administrators, built-in local administrator account, ___domain administrators, service accounts, ___domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory.

Events List:

Additional resources