I have domain environment with server 2008 r2. I am trying to troubleshoot an account that periodically gets locked out but event 4740 is not being logged.
I have checked the status of logging as per a technet forum:
Auditpol /get /Category:Logon/Logoff
The results I get are:
Logon – Success and Failure
Logoff – No Auditing
Account Lockout – Success and failure
IPsec Main Mode – No Auditing
IPsec Quick Mode – No Auditing
IPSec Extended Mode – No Auditing
Special Logon – No Auditing
Other Logon/Logoff Events – No Auditing
Network Policy Server – No Auditing
According to these results I should be seeing event 4740 when an account is locked out but it is not recorded. Only event 4625 shows up in the logs.
This problem is intermittent in our domain and seems to have started working on its own but the cause is still unknown.
Best Answer
Have you set Advanced Audit Configuration\Account Management\Audit User Account Management{Success,Failure}?