Monitor and get notifications for locked out clients

Last Modified

Thu Mar 30 18:23 GMT 2023

Description

This article provides steps to monitor and get notifications when a client is locked out of the computer.

In order to monitor these events you need to know what events to look for. The Windows Event Log carries a Security log that captures these events. The IDs that are created within the event are:

4740 - A user account was Locked Out

OSes Windows 2008 R2 and 7

Windows 2012 R2 and 8.1

Windows 2016 and 10

The type of event that is recorded in the Security Log is registered as Success, meaning that the message was received into the security log.

644 - User Account Locked

OSes Windows Server 2000

Windows 2003 and XP

This pe of event is registered as Success and Failure.

To capture this in N-able N-central, you need to apply the Monitoring Service Windows Event Log to you Domain Controllers. (Your Domain Controller needs to be discovered and in your All Device view.) Once you have this added in the Domain Controllers, create a Notification Profile to provide you e-mails when the event occurs.

Environment

  • All N-able N-central versions
  • Windows Active Directory
  • Windows Event Log Service
  • Notification Profiles

Solution

Add Windows Event Log to a device;

1. Log in as a SO Admin.

2. Open the Domain Controller in the device details.

3. Select the Monitoring tab.

4. Select Add.

5. Locate the Monitoring Service Windows Event Log.

6. Add one of these service and apply.

7. Once applied select the new service and provide the following:

  • Service Identifier = Account Locked Out
  • Option To Monitor: Select failure and succes for the Security Log
  • Event ID Include List = 4740,644

8. Save these settings and your monitoring option are now set.

Create a Notification Profile:

1. Log in as a SO Admin.

2. From the SO Level, go to Configuration > Monitoring > Notifications.

3. Add a new Notification.

4. Select the Profile Details referred in:

Notification of an outage not received

5. Save and Continue.

6. Add a trigger detail.

7. Use a Service Instance changes state in your trigger details and look for the service you created earlier. Should be listed as Windows Event Log - Account Locked Out or whatever name you used in the Service Identifier.