|Subject:||Cannot generate event id 644|
|Posted by:||theta12 (theta…@gmail.com)|
|Date:||3 Apr 2007|
I'm trying to track account lockouts on my domain. I've turned on
auditing for my domain controllers and am successfully getting audit
data. However, I am unable to generate the 644 event id that says
'Account locked out'. I have success and failure turned on for all
auditing events and have verified that each DC is correctly applying
All DC's are 2003 servers in a windows environment. I have a test
account that I'm intentionally locking out by entering a wrong
password multiple times. I am getting plenty of other events about
this account (675 - pre-authentication failed when using wrong
password, 539 - account locked out (on the actual server I'm logging
into), 672 - after account is locked out and I try to use correct
password.) but no 644 event are ever generated. I do get a message on
the server that I'm trying to log into that my account is locked out.
If I open ADUC, I can confirm that the account is indeed locked out.
Is there something else I'm missing?