I have a user account that keeps on getting locked out. I am trying to find out what caused it. So I want to enabled failure audits in event viewer as a start. But, I don't know how!
How do I enable Audit Failures such that it shows up in the DC's event viewer under Windows Logs > Security?
The steps I have done so far:
- In the DC, go to Group Policy Management Editor > Default Domain Policy (Linked) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
- Set the Audit account logon events, directory services access, logon events to "failure". account management is already set to "Success, Failure".
- In the DC, start the command prompt, type gpupdate.
The event log still shows only Audit Success only, even though it can be checked that my user account is getting bad password count every few minutes or so.
Best Answer
Do this on the "Default Domain Controller" Policy to apply to the DC's