I’m looking for a good way to help a team pinpoint why a particular account locks out and be able to present this on a dashboard. Now I don’t want to have thousands of “failed username or password” hits in the sec log cause an alert every single time in SCOM so curious what people are doing. For example, event id 4625 is triggered for any of these of configured for the DCs. Before I dive deep into this I was hoping someone had a solution already made.
we’re using the ACS component of SCOM to get locked AD user information. Best for this question is default report named ‘Access_Violation _-_Account_Locked:
Let me know if it could help or if you need further information 🙂
ok cool thanks all. The ACS solution looks good. I currently have a rule in SCOM to alert when an account is unlocked and locked. I was just hoping to narrow down causes without having to alert on all username or password attempts which as you have said is a lot. So if I use ACS to collect the data does SCOM fire an alert for all events? I’m trying to visualize how I’d use this in Squared Up without having to rely on the reports. Can you have Squared Up/SCOM look at this data based on criteria so when you are investigating why someone was locked you can just edit the criteria of an alert tile?
I am going to recommend another tool that is relatively cheap but well worth the money. AD Audit by Manage Engine it is fantastic for alerting on AD changes and looking to see who did what. Their account lock out analyzer is the best thing I have found. AD is one of my duties and I love this tool has saved my butt several times.
ACS can be a bit of a beast in SQL and disk requirements. I normally just create a Windows Event Log monitor applied only to the domain controllers which looks for Event IDs 4740 or 644. I set these to a timer reset after 1 minute so they don’t fill up the Active Alerts, but can be found easily.
This will give you alerts with descriptions like this:
A user account was locked out.
Security ID: NT AUTHORITY\SYSTEM
Account Name: UserAccount$
Account Domain: DOMNAME
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: DOMNAME\UserAccount
Account Name: UserAccount
Caller Computer Name: SOURCECOMP
Interesting. I had no idea you could do a time reset. Where is that? I don’t mind the alerts now that I’m testing this but just don’t want to have to manually close 6000 or so over the course of a week 🙂