Account Unlock Log

[Guest]

I have a requirement to be able to track when/who unlocks accounts on Active
Directory. Is there a log kept that I can tap into, or a utility that will
let me access this information.

 

[Paul Bergson]

Auditing

When the user contacts the help desk or administrator to have his password
reset, Windows Server 2003 logs event ID 671, "User account unlocked".
Windows 2000 does not log this event.

See
http://www.windowsecurity.com/articles/Auditing-Users-Groups-Windows-Security-Log.html


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge_de_Almeida_Pinto]

I have a requirement to be able to track when/who unlocks
accounts on Active
Directory. Is there a log kept that I can tap into, or a
utility that will
let me access this information.

You focus Microsoft Management Console (MMC) snap-ins against a
specific domain controller that is referenced by its IP address. For
example, you click Start, click Run, and then type the following
command:
for Active Directory User and Computers
dsa.msc /server=ipaddress

With thw above you only have to search ONE DC for the event id for
account unlocks, otherwise you need to know which DC the person used
in the MMC to unlock the account

Then check the security event log for event ids that reference the
unlock actions. event id = 671 -> designates the account UNLOCK!

event id 644 is the id that logs the account lockout (use
eventcombmt.exe to check all security logs on all DCs if you want to
know this)

you also need to enable "Account Management – Success" on the DCs
At OU level you need to audit for:
Read/Write lockouttime for user objects

Cheers,

 

[Kurt Roggen]

Download the Account Lockout and Management Tools from
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en