- Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management:
- Audit User Account Management → Define → Success and Failures.
- Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to "Overwrite events as needed".
- Link the new GPO: Go to "Group Policy Management" → Right-click domain or OU → Choose Link an Existing GPO → Choose the GPO that you created.
- Force the group policy update: In "Group Policy Management" right click on the defined OU → Click "Group Policy Update".
- Open Event Viewer → Search security log for event ID 4767 (A user account was unlocked).
- Run Netwrix Auditor → Click "Reports" → Choose Active Directory → Active Directory Changes → Choose "User Account Changes" → Click "View".
- After that, you will see what accounts were unlocked and who did that.
Continuously Monitor User Accounts Status Changes in AD to Protect Systems and Data
Automatically locking out accounts after several unsuccessful logon attempts is a common practice, since failed logon attempts can be a sign of an intruder or malware trying to get into your IT system. Before unlocking an account, it’s wise to find out why incorrect passwords were repeatedly provided; otherwise, you increase the risk of unauthorized access to your sensitive data. Therefore, it’s important to continuously monitor which accounts get unlocked and by whom, so you can spot any that were unlocked without proper approval and respond quickly to protect your systems and data.
Netwrix Auditor for Active Directory delivers complete visibility into what’s going on in your Active Directory, with more than 200 easy-to-read predefined audit reports with filtering, grouping and sorting capabilities, as well as a subscription option that automatically delivers reports via email or saves them to a shared folder. The User Account Status Changes report delivers actionable intelligence about which accounts were locked and who unlocked them, enabling IT admins to stay aware of all changes to user accounts and easily investigate any particular incident.