I’m looking for a good way to help a team pinpoint why a particular account locks out and be able to present this on a dashboard.   Now I don’t want to have thousands of “failed username or password” hits in the sec log cause an alert every single time in SCOM so curious what people are doing.  For example, event id 4625 is triggered for any of these of configured for the DCs.   Before I dive deep into this I was hoping someone had a solution already made.



Gary answered
    • We gave up on trying to display that information. We have around 30.000 active accounts (25.000 students) in the AD. And the amount of wrong passwords generated in our environment is a lot. So accounts get locked out every second. So showing that on a dashboard was of no use for us. We store the info our elk server instead and when someone is wondering which device is locking my account we take a look there.