Account lockouts are displayed with delay

Email It to Me Print this Page
Symptoms It takes a long time for account lockouts to be reflected in NetWrix Account Lockout Examiner.
Cause This can happen if the product is set to monitor the Primary Domain Controller (PDC) only. If an account gets locked on a different domain controller, it takes time for the lockout event to replicate to the PDC, and this causes the delay.

Another possible reason is very high activity in your domain that generates more events per second than the product can handle. As a result  an event queue and a delay occurs .
To fix the issue, set the product to monitor all DCs in the monitored domain and change event processing method.

To change to All DCs mode this, perform the following steps:
  1. In NetWrix Account Lockout Examiner navigate to File --> Settings --> Managed Objects.
  2. Select your domain and click Edit.
  3. Select the All DCs radio button and click OK to save the changes.

User-added image

To change event processing method:
  1. Open the Registry Editor (navigate to Start --> Run and type regedit).
  2. Navigate to HKEY_LOCAL_MACHINE --> SOFTWARE --> NetWrix --> Account Lockout Examiner (Wow6432Node only for x64 OS)
  3. Locate the readlog key and set its value to 0.
  4. Create a new key called UseWatcher, set its type to DWORD and value to 1.
  5. Restart NetWrix Account Lockout Examiner Service via services.msc

User-added image

(*) Netwrix Auditor replaces former Change Reporter products
Was this information helpful?