How to enable Audit Failure logs in Active Directory?

I have a user account that keeps on getting locked out. I am trying to find out what caused it. So I want to enabled failure audits in event viewer as a start. But, I don't know how!

How do I enable Audit Failures such that it shows up in the DC's event viewer under Windows Logs > Security?

The steps I have done so far:

  • In the DC, go to Group Policy Management Editor > Default Domain Policy (Linked) > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
  • Set the Audit account logon events, directory services access, logon events to "failure". account management is already set to "Success, Failure".
  • In the DC, start the command prompt, type gpupdate.

The event log still shows only Audit Success only, even though it can be checked that my user account is getting bad password count every few minutes or so.


Do this on the "Default Domain Controller" Policy to apply to the DC's


Note that in Win2008 server and above, you need to use the "Advanced Audit Policy Configuration" options in the GPO. See screenshot:

Screenshot


Yes, you need to edit on Default Domain Controller policy, otherwise you need to create new GPO and link it to the Domain Controllers OU. Once you have done it in any of these two ways, you need to watch the User Account Management events

4740 - for locked out.

4767 - for unlocked.

Refer this article http://www.morgantechspace.com/2013/08/how-to-enable-active-directory-change.html to know how to enable auditing in active directory

and for complete event ID list http://www.morgantechspace.com/2013/08/active-directory-change-audit-events.html