For some reason, some of my users' accounts become locked, and the users must contact the Help desk to have their accounts reactivated. To address the problem, I've implemented the Audit logon events and Audit account logon events settings in the Default Domain Controllers Group Policy Object (GPO). Despite many daily lockouts, I can't find any trace of event ID 644 (user account locked out) on any of the relevant domain controllers (DCs). I use the Repadmin /showmeta command to identify the DC on which the lockout occurred and the DC that authenticated the logon attempt. Can you explain why these lockouts occur even when the users haven't recently changed their passwords and why the system isn't logging all logon events?
You can use the simple solution that follows to correct an easy mistake. Windows 2000 and Windows NT consider account lockouts to be account-management events, not logon events. Just enable Audit account management events for successful events. To do so, open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the Domain Controllers organizational unit (OU), select Properties, and select the Group Policy tab. Select Edit Default Domain Controllers Policy, then click Edit. Maneuver to \computer configuration\windows settings\ security settings\local policies\audit policy, and double-click Audit account management events. After you enable Success, you'll capture the event information you need.
