I'm in a medium size enterprise environment using Active Directory for authentication etc. Considering if we should activate an account lockout policy for failed login attempts I need to gather statistics on the current number of such events.
I've read MS Account Lockout Best Practices but still, I'm nowhere near understanding how to do this. The document focuses on discovering the reasons for account lockout rather than getting a clear picture from the event logs.
So, my question is this: where should I look, what should I look for (specific event IDs, Failure Codes, anything else?) to find out the number of failed logins (the user tries over and over with the wrong password). Extra bonus if I can script the process.
Some additional info: The AD servers are Windows 2003 (with one extra running Windows 2008)
Please forgive my AD ignorance.
Many thanks in advance.
Best Answer
Look (as in, apply a filter) in the Security event log on your domain controllers for EventCode 675, EventType 16. This equates to "Pre-authentication failed", which seems to be the precursor to EventCode 644, EventType 8 - "User Account Locked Out".