Jump to content


Photo

Account Lockout Examiner


  • Please log in to reply
11 replies to this topic

#1 comando

comando

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 21 June 2009 - 04:10 PM

i get error in Audit Status

"Logon Auditing is disabled, some funcionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy for this DC"

http://img132.images...3/dibujopon.jpg

Auditing Policies for Invalid and Valids logons is ON
Connection is OK

#2 Brian Stern

Brian Stern

    Advanced Member

  • Technical Support
  • PipPipPip
  • 259 posts

Posted 23 June 2009 - 05:40 PM

QUOTE (comando @ Jun 21 2009, 11:10 AM) <{POST_SNAPBACK}>
i get error in Audit Status

"Logon Auditing is disabled, some funcionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy for this DC"

http://img132.images...3/dibujopon.jpg

Auditing Policies for Invalid and Valids logons is ON
Connection is OK


Dear Comando,

Thank you for your Forum post.

When you have a chance, please perform the following steps:

1. Confirm that you edited logon auditing in Domain Controllers Default Group Policy.
2. Please run “rsop.msc” on the Domain Controller for which you get this error and confirm that this DC have Logon Auditing enabled in their effective audit policy settings.

Sincerely,
Brian Stern



#3 comando

comando

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 23 June 2009 - 06:21 PM

QUOTE (Brian Stern @ Jun 23 2009, 12:40 PM) <{POST_SNAPBACK}>
When you have a chance, please perform the following steps:
1. Confirm that you edited logon auditing in Domain Controllers Default Group Policy.
2. Please run “rsop.msc” on the Domain Controller for which you get this error and confirm that this DC have Logon Auditing enabled in their effective audit policy settings.


(EDIT) very thanks... wink.gif

#4 talishka

talishka

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 03 February 2015 - 06:37 PM

Hi!

I have a 2012 DC. im having the same issue, i used gpedit.msc and the group policy management editor, but i'm not getting it.

Comp Config > Policies > Windows Settings > Security Settings > Advcaned Audit Policy Configuration > Account Logon

Audit Credential Validation (Success and Failure)
Audit Other Account Logon Events (Failure)

Comp Config > Policies > Windows Settings > Security Settings > Advcaned Audit Policy Configuration > Logon/Logoff

Audit Account Lockout (Success and Failure)
Audit Logoff (Sucess and Failure)
Audit Logon (Sucess and Failure)

What am i doing wrong? Thanks in advance!

#5 dsmirnov

dsmirnov

    Advanced Member

  • Root Admin
  • PipPipPip
  • 58 posts
  • Gender:Male

Posted 06 February 2015 - 03:50 PM

Hi!

I have a 2012 DC. im having the same issue, i used gpedit.msc and the group policy management editor, but i'm not getting it.

Comp Config > Policies > Windows Settings > Security Settings > Advcaned Audit Policy Configuration > Account Logon

Audit Credential Validation (Success and Failure)
Audit Other Account Logon Events (Failure)

Comp Config > Policies > Windows Settings > Security Settings > Advcaned Audit Policy Configuration > Logon/Logoff

Audit Account Lockout (Success and Failure)
Audit Logoff (Sucess and Failure)
Audit Logon (Sucess and Failure)

What am i doing wrong? Thanks in advance!

talishka,

 

To find what audit policies are actually effective on the server, please execute the following command from elevated prompt:

 

auditpol /get /category:*

 

It will show you in details what is turned on, and what is not.

 

Make sure that all subcategories under Account Management and Logon/Logoff are enabled.



#6 parrotga

parrotga

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 26 February 2015 - 01:45 PM

Hi

 

Just a question regarding this issue and this program...since i have the same pb ""Logon Auditing is disabled, some funcionality will be unavailable for this DC. Please turn on auditing of invalid logons in audit policy for this DC""

Is Audit have to be set on Default Domain Controler policy only with Netwrix, is it a prerequisite ? since in my compagny we have created a dedicated Audit GPO linked to the Domain Contoler OU, settings are well applied but stil lthis error .... 

 

C:\Users\>auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Failure
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  No Auditing
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        Success and Failure
Policy Change
  Audit Policy Change                     Success and Failure
  Authentication Policy Change            Success and Failure
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 Success and Failure
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           Success and Failure
  Application Group Management            No Auditing
  Other Account Management Events         Success and Failure
DS Access
  Directory Service Changes               Success and Failure
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                Failure
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              Failure
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure

Thansk
regards


#7 parrotga

parrotga

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 27 February 2015 - 01:06 PM

Also on computers, same problem ... 

 

mini_11197676ga.png

 

http://www.dumpt.com...p0otn2cx68h.png

 

However, audit policy Failure logon is enable on computer ... 



#8 dsmirnov

dsmirnov

    Advanced Member

  • Root Admin
  • PipPipPip
  • 58 posts
  • Gender:Male

Posted 04 March 2015 - 12:47 PM

parrotga,

 

Account Lockout Examiner does not detect Advanced audit policy settings.

 

When some audit subcategories are disabled, the entire category is reported by legacy audit policies as not configured.

 

You can just disable audit policies checks by settings the reg UseWMI_Audit value to 0, and restarting the Netwrix Account Lockout Examiner service.

The value is located in the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Netwrix\Account Lockout Examiner key



#9 parrotga

parrotga

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 04 March 2015 - 01:02 PM

Hi

 

Ok thanks

 

But it seems that for Examination task, like in ma 2nd post, there is no detailed information ....

 

Also, it's a 2008 strategy, not a new things, why Advanced audit policy settings is not implemented ?

 

thanks

regards



#10 talishka

talishka

    Newbie

  • Members
  • Pip
  • 2 posts

Posted 22 September 2015 - 06:32 PM

Finally, the issue was caused by a file called audit.csv in the SYSVOL policy dir. The file contained only the headers, i had to delete it, sync again policies and then everything worked.

 

Credits: http://blogs.msdn.com/b/spatdsg/archive/2011/06/06/audit-policy-not-registering-audits.aspx?CommentPosted=true#commentmessage 



#11 JackH

JackH

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 07 January 2016 - 11:29 PM

I have an account that keeps getting locked. from your program it shows the server causing the lockout however when I try to examine the cause or what is triggering the account to be locked from the lockout examiner is does not give me the info I need. I get access denied errors. please advise. 



#12 dsmirnov

dsmirnov

    Advanced Member

  • Root Admin
  • PipPipPip
  • 58 posts
  • Gender:Male

Posted 29 January 2016 - 11:00 AM

I have an account that keeps getting locked. from your program it shows the server causing the lockout however when I try to examine the cause or what is triggering the account to be locked from the lockout examiner is does not give me the info I need. I get access denied errors. please advise. 

JackH,

 

To examine something the account used to run Account Lockout Examiner service must have a local administrator permissions on the target machine. So please make sure it has the required access.






0 user(s) are reading this topic

0 members, guests, anonymous users