Cannot generate event id 644

Giganews Newsgroups
Subject: Cannot generate event id 644
Posted by:  theta12 (theta…@gmail.com)
Date: 3 Apr 2007

I'm trying to track account lockouts on my domain.  I've turned on
auditing for my domain controllers and am successfully getting audit
data.  However, I am unable to generate the 644 event id that says
'Account locked out'.  I have success and failure turned on for all
auditing events and have verified that each DC is correctly applying
the policy

All DC's are 2003 servers in a windows environment.  I have a test
account that I'm intentionally locking out by entering a wrong
password multiple times.  I am getting plenty of other events about
this account (675 - pre-authentication failed when using wrong
password, 539 - account locked out (on the actual server I'm logging
into),  672 - after account is locked out and I try to use correct
password.) but no 644 event are ever generated.  I do get a message on
the server that I'm trying to log into that my account is locked out.
If I open ADUC, I can confirm that the account is indeed locked out.
Is there something else I'm missing?

Replies