Jump to content


Photo

ALE help


  • Please log in to reply
9 replies to this topic

#1 reastman66

reastman66

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 13 August 2013 - 02:47 PM

When I review the logs I can see that the account is locked out but the section where it examins the last 10 invalid logons.

The information is from fe80::c65:441c:ee1f:77eb....\\domain controller.. at 8/12/2013 time..
To view detailed information on logons, enable Failure Audit logon policy on the target workstation.

I am examining on a domain controller and the policy is in place but not information. This user is remote and is connecting on a vpn connection if it matters.

#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 14 August 2013 - 12:46 PM

Hello,

If auditing is configured as you say then you should be able to filter the security event logs of the target machine and find 4624 and 4625 events. If they do not exist then this auditing policy is most likely either not enabled or not being enforced for this particular machine. You can take a look at local security policy on the machine to see what auditing policies from the domain are being applied.

#3 reastman66

reastman66

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 14 August 2013 - 12:48 PM

So what you are saying is this is a per machine setting to see what is locking the account not on the DC's?

#4 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 14 August 2013 - 12:50 PM

Yes examining a lockout requires us to connect to the source of the invalid logins to parse the security event logs. The domain controller does not contain enough information to determine this.

#5 skypen

skypen

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 03 September 2013 - 03:46 AM

i also have this issue. after i did the "examine" task, it prompted me "enable Failure Audit logon policy on the target workstation"..
however, when i go to the "Local Security Policy", wanting to enable that setting, it is greyed out.
When i open the GPMC from the DC, Computer > Policies > Windows Settings > Security Settings > Local Policies > Audit account logon events & Audit logon events, both already had the "Failure" enabled.

If the GPO already has this settings enabled, why does the product still tells me it is not enabled?

#6 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 03 September 2013 - 01:39 PM

Although it may be enabled via Group Policy, local policy will also need to reflect this as that being enabled is what actually causes the events to be generated in the security event log. For some reason it sounds like that particular group policy is not configuring local policy on that particular workstation.

#7 acatic

acatic

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 07 November 2013 - 02:22 PM

I'm having this same issue.

The Default Domain Policy already has these settings set; on the user's side, the settings are checked on but greyed out, indicating that it might be overridden by a system setting (i.e. GPO).

I've rebooted the machine running ALE, the DC, as well as the problem computer.

"To view detailed information on logons, enable Failure audit logon policy on the target workstation."

#8 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 07 November 2013 - 02:28 PM

The most reliable method to ensure that the audit setting is being applied is to run an elevated command prompt and run auditpol /get /category:* on the computer in question. Any other method such as rsop or local security policy is not reliable.

-Jeff

#9 Serba_Tech

Serba_Tech

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 06 January 2014 - 10:32 PM

Hi to all,


I was running ALE against an Exchange Server (from this server my account has been blocked without a clear reason)

But I receive the message:

"To view detailed information on logons, enable Failure audit logon policy on the target workstation."


Taking a look under my domain, the audit settings under Logon/Logoff are Success and Failure. So the Exchange server under my domain has Logon/Logoff set to success and Failure too, I check this using auditpol /get /category:*

So why I still receiving the message above and how can I see the detailed information from the Exchange logs??


regards,

Serba

#10 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 07 January 2014 - 02:28 PM

Serba-Tech,

Account Lockout Examiner requires advanced audit policy configuration. If you don't want to use advanced audit policy settings then the check of if this is enabled on workstations can be disabled in the registry.

https://www.netwrix.com/kb/1571

-Jeff




0 user(s) are reading this topic

0 members, guests, anonymous users