How to Set an Audit Policy for an Account Lockout
This is attempt to help tracing in the Event Viewer, the Account Lockout Failure and Success "Log On" in windows 7 and Windows 8, after you set up the "Account Lockout Threshold for Invalid Logon Attempts".
Defining the Account Lockout Audit Policy in Windows 7 and Windows 8: 1.
In order this Tip to Work, you"ll have to set it before the Account Lockout Threshold for Invalid Logon Attempts
To trace in the Event Viewer the "Success" and "Failure" logons, password change attempts and policy changes. The Audit Policy must be set before!
First Open "Start Menu" then in the search bar, type "Local Security Policy"
2. Go to "Local Policies", then underneath, click "Audit Policy".
3. On the right side search for "Audit account logon events". 4. Right click Properties: Check both box "Success" & "Failure",
5. Click OK button and your done!
Date Published: june 2009
This security policy setting allows you to audit security events generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume: Low
Default setting: Success
If this policy setting is configured, the following event is generated. The event appears on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.
Event ID: 4625
Event message: An account failed to logon.
"Microsoft recommends that you use the account lockout feature to help deter malicious users and some types of automated attacks from discovering user passwords.
Password and account lockout settings are designed to protect accounts and data in your organization by mitigating the threat of brute force guessing of account passwords. Settings in the Account Lockout and Password Policy nodes of the Default Domain policy settings enable account lockout and control how account lockout operates."
Now you can go in the "Event Viewer" and see how many attempts had been made to Log On on your computer while you were away drinking that beer!
Thanks to Brink for having brought the support.