Active Directory - Troubleshooting Account Lockout information

Article
12/28/2009

Troubleshooting Account Lockout (Technet)

https://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Account Lockout and Management Tools

https://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Account Lockout Status (LockoutStatus.exe)

https://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=D1A5ED1D-CD55-4829-A189-99515b0E90F7

SCOM Alerts & Audit Collection Services

You should be able to setup an event collection on the Security event log for that lockout and a few other events so that you get an alert. Here a just a few events that you could alert on to help monitor that account.

Event ID 531 : Account disabled
Event ID 532 : Account expired
Event ID 535 : Password expired
Event ID 539 : Logon Failure: Account locked out
Event ID 644 : User account Locked out

These article have a pretty good list of other security event id’s that you can alert on as well.

https://www.windowsnetworking.com/nt/atips/atips155.shtml

https://www.enterprisecertified.com/eSCOPTechnicalGuide.pdf

Active Directory - Troubleshooting Account Lockout information

Additional resources