Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Account Lockout: Defining an Audit Policy

Account Lockout: Defining an Audit Policy

How to Set an Audit Policy for an Account Lockout
Published by NoN
10 Mar 2011
Published by
NoN's Avatar

How to Set an Audit Policy for an Account Lockout

information   Information
This is attempt to help tracing in the Event Viewer, the Account Lockout Failure and Success "Log On" in windows 7 and Windows 8, after you set up the "Account Lockout Threshold for Invalid Logon Attempts".
Note   Note
In order this Tip to Work, you"ll have to set it before the Account Lockout Threshold for Invalid Logon Attempts.

To trace in the Event Viewer the "Success" and "Failure" logons, password change attempts and policy changes. The Audit Policy must be set before!

Defining the Account Lockout Audit Policy in Windows 7 and Windows 8:

1. First Open "Start Menu" then in the search bar, type "Local Security Policy"
Name:  01.jpg
Views: 2355
Size:  17.4 KB
2. Go to "Local Policies", then underneath, click "Audit Policy".
3. On the right side search for "Audit account logon events".

4. Right click Properties: Check both box "Success" & "Failure",
Name:  03.jpg
Views: 2335
Size:  22.1 KB
5. Click OK button and your done!

Date Published: june 2009

This security policy setting allows you to audit security events generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.

Account lockout events are essential for understanding user activity and detecting potential attacks.

Event volume: Low
Default setting: Success

If this policy setting is configured, the following event is generated. The event appears on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

Event ID: 4625
Event message: An account failed to logon.
"Microsoft recommends that you use the account lockout feature to help deter malicious users and some types of automated attacks from discovering user passwords.
Password and account lockout settings are designed to protect accounts and data in your organization by mitigating the threat of brute force guessing of account passwords. Settings in the Account Lockout and Password Policy nodes of the Default Domain policy settings enable account lockout and control how account lockout operates."

Now you can go in the "Event Viewer" and see how many attempts had been made to Log On on your computer while you were away drinking that beer!

Thanks to Brink for having brought the support.


 Account Lockout: Defining an Audit Policy

Tutorial Tools

Similar help and support threads
Windows 7 Tutorial Category
Account Lockout Policy Clarification
Hello Guys, Can somebody interpret this one for me. Account Lockout Duration : 0 minutes Account threshold : 15 Reset Account Lockout after: 10 minutes. Thanks in advance.
General Discussion
Account Lockout - Unlock a Locked Out User Account
How to Unlock a Locked Out User Account in Windows 7 and Windows 8 Normally the account lockout duration security setting determines the number of minutes a locked out account remains locked out before automatically becoming unlocked. If the account lockout duration is set to 0 minutes, then a...
the Administrator account and Audit mode
Hi In Audit Mode, to install/configure correctly the Windows updates, drivers, softwares, is best to manually activate the Administrator account? If so, how do I do this? In the passage between the Audit and OOBE mode with the sysprep command, what should I insert in the answer file to...
Installation & Setup
Renaming the Administrator account in the Audit mode
HI In the Audit mode of Windows 7 SP1 with an only active account (the Administrator account), how do I rename it and put it a password (for security) using the command line without this causes malfunction in the system or unexpected things when I will go in the OOBE mode. THANKS BYE
General Discussion
account lockout policy
Hi, I recently installed win 7 ent. edition and i decided to change the account lockout threshold 4 invalid attempts. Everytime i shutdown the system and rebooted my account would be lockout for no reason. now its only happens to my account. This seems to happen on both my computers on the...
General Discussion
Account lockout problem
Hello all, Windows 7 has made my Account Lockout Duration set to 99360 minutes (69 days). What's really bad is I can't change this. It's disabled even though I'm an admin. I've search for days trying to figure out how I can change this and was hoping someone here could help me. TIA,
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 17:11.

Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App