Banks, credit unions, insurance companies,
User Account Lockouts and unlocks are missing from reports
|Symptoms||User Account Lockouts and Unlocks are missing and the corresponding reports are empty, even though some accounts are known to have been locked/unlocked in the selected period.
Daily summary reports also do not show any lockouts or unlocks.
|Cause||The most common reason for this issue is disabled Audit Account Management policy or some conflicts in policies.
Account lockouts, unlocks and Password resets are event-based changes which means that if the audit setting is disabled account lockouts will be detected but will not be included into reports or trigger alerts because there are no corresponding auditing events.
|Resolution||In order to resolve the issue we need to make sure that audit policy is configured correctly.
In the corresponding Group Policy Object (or Local policy if you configured auditing there)
If you use Advanced Audit Policy please check the following setting:
Even if Group Policy Object is configured correctly there might still be some conflicts that prevent GP from applying correctly.
To find out the effective audit policy on a DC, execute the following command
auditpol /get /category:*
In the output check that User Account Management is set to Success
For more information on Group Policy and related issue refer to the following articles: