Administrator Guide
Audit Settings

Description

Some of the tools from the AD Pro Toolkit (User unlock) requires auditing enabled for all features to work.

How to enable Auditing

If you want to display additional details on locked accounts like the source computer, you need to make sure auditing is enabled for these events. If you just want to display locked accounts and unlock them then you can ignore this section.

On your Default Domain Controller policy navigate to the following GPO settings:

computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Management

Enable success and failure for the “Audit User Account Management” policy.

Next enable the folloing:

computer configuration -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> Account Logon

Enable Success and Failure for “Audit Kerberos Authentication Service.”

The required auditing is now turned on and event ID 4740 will be logged in the security event logs when an account is locked out. The user unlock tool will query the domain controller event logs for this event ID to display additional lockout details.