Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume: Low.
This subcategory failure logon attempts, when account was already locked out.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|---|---|---|---|---|---|
| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value ___domain or for local accounts (database administrators, built-in local administrator account, ___domain administrators, service accounts, ___domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value ___domain or for local accounts (database administrators, built-in local administrator account, ___domain administrators, service accounts, ___domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value ___domain or for local accounts (database administrators, built-in local administrator account, ___domain administrators, service accounts, ___domain controller accounts, and so on). This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
Events List:
- 4625(F): An account failed to log on.