Account lockout messages not in domain controller event logs

  • Section(s): Logon
  • Published on Apr 20, 2004.
  • Last Modified on Apr 20, 2004.
  • Last Modified by Wayne Maples.
  • Rated 3 out of 5 based on 2 votes.
Prior to NT 4 SP4 message about the user account being locked out were only written to the security log of the workstations or servers where the events occurred and were not written into the security log of the domain controller where the error occurred. At that, the error message was only written if the audit policies were enable on the workstation. SP4 does what one would expect and writes these messages on the domain controller where the bad password limit was reached but ONLY if the audit policy for the domain enables Success for the User and Group Management audit category.

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Forensics: CrashOnAuditFail
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Frank Heyne has made available a Windows NT Eventlog FAQ .

About Wayne Maples

Share this article


Article not looking right or info is missing? Let us know so that we can fix it: .


Receive all the latest articles by email!

Receive Real-Time & Monthly WindowsNetworking.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowsNetworking.com member!

Discuss your network issues with thousands of other network administrators. Click here to join!

Community Area

Log in | Register

Readers' Choice

Which is your preferred Data Recovery solution?