New: October 2, 2020

Get notifications for locked out users

You can configure N-able N-central monitoring to notify you when a user is locked out of their computer. Getting the notification enables you to unlock the computer for the user quickly.

The events to look for when a user is locked are found in the Security log in the Windows Event Log service. The IDs that are created within the event are:

4740 - A user account was Locked Out

OSes Windows 2008 R2 and 7

Windows 2012 R2 and 8.1

Windows 2016 and 10

The type of event that is recorded in the security log is registered as Success, meaning that the message was received into the security log.

644 - User Account Locked

OSes Windows Server 2000

Windows 2003 and XP

This type of event is registered as Success and Failure.

To capture this, you need to apply the Windows Event Log service to your Domain Controllers. Your Domain Controller needs to be discovered and in your All Device view. Once you have this added in the Domain Controllers, create a notification profile to send an e-mail when the event occurs.

At the SO level, complete the following steps.

  1. Open the Domain Controller in the device details
  2. Click the Monitoring tab and click Add.
  3. Locate the Monitoring Service Windows Event Log and add an instance this service and click Apply.
  4. Select the new service and provide the following:
    • Service Identifier = Account Locked Out
    • Option To Monitor: Select failure and succes for the Security Log
    • Event ID Include List = 4740,644
  5. Click Save.

With the monitoring options set, create a notification profile with a trigger detail that uses a Service Instance changes state that uses the service you created above.