Configure Windows Audit Logs
The lockout troubleshooter tool requires the audit policies to be configured.
This will enable the tool to collect events 4771 and 4740 from your domain controllers.
How to enable Auditing log settings
-
Open the Group Policy Management Console
-
On your Default Domain Controller policy navigate to the following GPO settings:
Computer configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Management
Enable success and failure for the Audit User Account Managemen policy.
-
Next enable the following:
Computer configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Account Logon
Enable Success and Failure for Audit Kerberos Authentication Service.
The required auditing is now turned on and event IDs 4740 and 4771 will be logged in the security event logs when an account is locked out. The user unlock tool will query the domain controller event logs for this event ID to display additional lockout details.