Hi,
I face a problem with the security log. I have 2 DCs with W2K3 R2 x86 SP2. Auditing for logon events, is enabled for both success and failure, for all DCs, member servers, and computers via group policy. This is 100% sure, no doubt about that. I can give
you screenshots of the applied group policy.
Last Friday I had to check why a user had his AD account locked out 2 times in the same day, without entering a wrong password, as he said. According to our company policy, I have set up a lockout duration of 60 minutes, after 5 invalid logon attempts. So I know that there is no possibility for an account to get locked out, without at least 5 logon attempts.
I wanted to check the security logs from both DCs, to find out when the invalid logon attempts were made, and from which workstation.
Both DCs have no failure audits for user accounts at all. There are normally as they should all success audits from both user and computer accounts, and I found only some failure audits from two old virtual machines, whose computer accounts
were deleted. Every day I have to unlock at least 1-2 user accounts because of accidental use of caps lock. The DCs do log failure audits, only if an invalid logon attempt takes place on the same DC, and not from another computer, server or DC.
Is this normal? Do you have any idea why this can happen? Any idea how to correct it?
Thank you in advance...