Table of Contents
- Getting Started
- Agent-Based Management
- Data Providers
- Directory Services
- Event Log Archiving for JSIG and CMMC Compliance
- Auditing
- Hosts
- Templates
- Template Properties
- Batch Update Templates
- Assign Templates
- Log Management Templates
- SCAP Compliance Monitor
- File and Directory Monitor Templates
- Windows Monitor Templates
- Account Lockout Monitor Template
- Logon Monitor Template
- CPU Monitor Template
- Memory Monitor Template
- Disk Space Monitor Template
- SMART Monitor Template
- Process Monitor Template
- Service Monitor Template
- Performance Counter Monitor Template
- PowerShell Template
- Registry Value Monitor Template
- System Security Monitor Template
- Active Directory User Monitor Template
- Active Directory User Integrity Monitor Template
- Task Scheduler Template
- Clock Synchronization Template
- Defragment NTFS Disks Template
- Windows Audit Policy Monitor Template
- Windows Logon As Monitor Template
- Windows Update Template
- Windows Management Instrumentation (WMI) Templates
- Database Monitor Template
- Directory Service Monitor Template
- DNS Blacklist Monitor Template
- DNS Monitor Template
- Domain Expiration Monitor Template
- Network Speed Monitor Template
- Ping Monitor Template
- Database Table Reseed
- SQL Server Shrink and Backup Template
- SSH Shell
- TCP Port Scan Monitor Template
- Website Monitor Template
- Wake On LAN Template
- SSL Certificate Monitor Templates
- Email Monitor Templates
- SNMP Monitor Templates
- Windows Accounts Templates
- Monitors
- Reports
- File and Permission Reports
- Summary Reports
- Auto-Configurators
- Filters
- Actions
- Database Actions
- Desktop Actions
- Email Actions
- Event Log Actions
- Executable Actions
- File Actions
- IIS IP Address Restriction Actions
- Microsoft Teams Actions
- PowerShell Actions
- Report Actions
- Service Actions
- SMS Actions
- SNMP Trap Actions
- Syslog Actions
- Template Actions
- IIS IP Address Restriction Actions
- Action Variables
- Schedules
- Environment Variables
- Options
- Account Lockout Monitoring and Reporting
- Merging Logs
- SNMP
- SSH Shell
- Syslog
- Exporting and Importing Configuration Objects
- Shared Views
- Active Directory User and Group Filters
- Assign Actions
- Assign Azure Audit Logs
- Assign Consolidated Logs
- Assign Directories
- Assign Disks
- Assign Event Logs
- Assign Files
- Assign Services
- Assign Shares
- Auto-Config Host Assignment Properties
- Define CSV and W3C Log Entry Columns
- Define Log Entry Columns
- Define Log Entry Columns with Regular Expressions
- Executable Status
- Executable Timeline
- Explicitly Assigned Logs
- File Explorer
- General Executable Properties
- Report Columns
- Report Date/Time Ranges
- Report Security Event Log Filters
- Select Folder or File
- Target Files and Sub-Directories
- Command Line Interface
- Server Configuration
- Agent Configuration
- Troubleshooting
- Terminology
Account Lockout Reports
Account Lockout Reporting is the process of scanning Active Directory for currently locked out Windows accounts, scanning Windows machines for locally locked out accounts and scanning Windows Security Event Logs for Event ID 4740 (A user account was locked out.) and 4767 (A user account was unlocked.), then finally reporting the results in Corner Bowl Server Manager, through email or by saving to a file such as a CSV, HTML or PDF file.
Sever Manager includes two different account lockout reports.
| Type | Description |
|---|---|
| Security Event Log Account Lockout Summary Report | Scans multiple Domain Controller Security Event Logs for domain account lockout history event IDs 4740 and 4767 and, optionally, scans multiple stand-alone Windows Security Event Logs for non-domain local account lockout history. This report is typically used for auditing and compliance. |
| Security Event Log Account Lockout History Report | Scans all assigned Security Event Logs for event ID 4740. This report is typically used for auditing and compliance. |
| Account Lockout Report (Active Directory/WMI) | Scans Active Directory Windows Domains for currently locked out domain accounts and, optionally, scans multiple Windows machines for currently locked out non-domain local accounts. LDAP is used to scan Active Directory Windows Domains and WMI is used to scan Windows machines. This report is typically used for real-time troubleshooting and network administration. |
Security Event Log Account Lockout Summary Report
Server Manager includes a sample report that scans the Security Event Logs in the Centralized Log Database for lockout history event IDs 4740 and 4767.
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Account Lockout, right click on Account Lockout Report then select Properties. The Properties View displays.
- The Properties View contains 7 configuration tabs.
The Columns Tab
Use the Columns Tab to enable and disable specific columns from the report as well as set the column order, sort order, and grouping options. For more information see: Report Columns
The Options Tab
| Type | Description |
|---|---|
| Show account lockout history | Shows all 4740s then overlays corresponding 4767 events to show the total number of times an account has been locked out and how many times an administrator has unlocked the account. Important Windows only logs 4767 account unlock events when an Administrator manually unlocks an account. Windows does not log a 4767 account unlock event each time an account is automatically unlocked. Note When this option is selected, the last administrator to unlock the account is listed. |
| Show account lockouts not manually unlocked | Hides all 4740 Events that have a corresponding 4767 Event. |
Security Event Log Account Lockout History Report
Server Manager includes a pre-built generic Event Log Report that uses regular expressions to parse event ID 4740.
To view the sample Template:
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Account Lockout, right click on Account Lockout History then select Properties. The Properties View displays.
Account Lockout Report (Active Directory/WMI)
Server Manager includes a sample report that scans Active Directory and stand-alone servers for accounts currently locked.
- From the Explorer View, navigate to Reports | Sample Reports | Event Logs | Security Reports | Account Lockout, right click on Account Lockout Report (Active Directory/WMI) then select Properties. The Properties View displays.
- The Properties View contains 4 configuration tabs.
The Options Tab
- Use the Scan Active Directory for locked out domain accounts check box to scan Active Directory then use the Directory Service drop-down to select the domain to monitor.
- Use the Scan assigned machines for locked out local accounts check box to scan stand-alone servers for locked out non-domain local accounts.
Host Assignment
- Use the Assignments View to assign each target host and host group.