| KB ID: | 10046 |
| Last Revision: | November 26, 2006 |
| Version: | 1.0 |
Search: Find events when a user account was locked out.
The advantage of using Log Fidelity's solutions is that it takes all the need for Event IDs out of your hands. There are edits to an object that are logged with their respective IDs but majority of edits (along with reads and listing of properties) to objects in Active Directory is logged as one ID (ID: 566). This makes it impossible to find any logs where the ID isn't specifically assigned to that type of edit. With Log Fidelity's solution, we take away the need for the ID all together, and let you search by the type of information you would have in a real life scenario.
PREREQUISITES
The name of the user that was locked out.
ESTIMATED QUERY TIME
<1 second.
METHOD 1 (Advanced Search)
1. Enter the name of the user
that was locked out in the Target Name field.
2. Select "Account Locked Out" in the description field and click
Submit.
You can skip step 1 if you want to list all the events where a user was locked out.
LIKELY SCENARIOS IT APPLIES TO
- You are investigating a brute force attempt on a user.
- You are investigating brute force attempts on your domain.
- You want to find out when the user was locked out and what triggered the events.
FINE TUNE YOUR SEARCH
If you know the time scope, domain of the edited objects, or want to restrict your searches to users in a specific domain you can fine tune your search.