How to configure a global exclusion rule for excluding a specific user from account lockout monitoring

How to configure a global exclusion rule for excluding a specific user from account lockout monitoring

Objective  

This guide offers step-by-step instructions for configuring an exclusion rule for specific user accounts in account lockout event monitoring, enabling administrators to minimize false positives and concentrate on critical lockout events.

Prerequisites  

    • Have access to the ADADAudit Plus web console.

    • Have an administrator role or a technician account with delegated permissions to create a Global Exclude Rule.

    • Have access to the Event Viewer on the domain controller where the lockout is being recorded.

Steps to follow

    1. Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to create or modify alerts.

    2. Go to the Configuration tab, expand the Configuration section in the left pane, and select Global Exclude Configuration.

    3. Click Add Exclude Rule

    4. Enter the event number 4740 in the field labeled Event Number.

    5. Set the Variable Name as Account Name from the drop-down menu.

    6. Set the Operator as Equals.

    7. Enter the Account Name in the value section exactly as it appears in the actual event. To retrieve the correct account name, refer to event ID 4740 in the Event Viewer of the corresponding domain controller.

  • Use RDP to remote into the domain controller where the account lockout is recorded.

  • Open the Event Viewer and navigate to Windows > Security Logs.

  • Filter for Event ID 4740.

  • Select the relevant event and enter the Account Name exactly as captured in the event.

    1. Save the configuration.

    2. Restart the ADAudit Plus service to apply the configuration changes.

  • Remote into the server where ADAudit Plus is installed.

  • Open services.msc.

  • Locate the ManageEngine ADAudit Plus service and restart it.

Validation and confirmation

After configuring the global exclusion rule and restarting the ADAudit Plus service, monitor ADAudit Plus to verify that the account lockout for the excluded user is being excluded.
Note: The configured rule will only apply to events generated after its creation and will not apply for any existing events. 

Tips

  • Use exclusion rules only when necessary.

  • Use precise matching values. Ensure the event number or account name value entered in the exclude rule exactly matches the format in the Event Viewer.


      New to M365 Manager Plus?
      New to M365 Manager Plus?
        New to RecoveryManager Plus?
        New to RecoveryManager Plus?
          New to Exchange Reporter Plus?
          New to Exchange Reporter Plus?
            New to SharePoint Manager Plus?
            New to SharePoint Manager Plus?
                See all integrations
                New to ADManager Plus?
                See all integrations
                New to ADManager Plus?

                  New to ADSelfService Plus?

                  Start your free trial
                  Start your free trial

                    • Related Articles

                    • How to schedule a custom File/Folder changes report excluding specific File Types

                      Objective This article explains how to configure and schedule a custom File/Folder Change report in ADAudit Plus while applying filters to exclude specific file types. This allows administrators to monitor critical file activity while ignoring ...

                    • How to exclude user accounts in ADAudit Plus

                      Objective This article explains how to exclude specific user accounts from being audited in ADAudit Plus. Prerequisites Access to the ADAudit Plus console is required. You must have either the Administrator role or a technician account with ...

                    • How to exclude user accounts in ADAudit Plus

                      Objective This article explains how to exclude specific user accounts from being audited in ADAudit Plus. Prerequisites Access to the ADAudit Plus console is required. You must have either the Administrator role or a technician account with ...

                    • No data available in Account Lockout Analyzer report

                      In this article: Issue description Prerequisites Possible causes Resolution Related topics and articles When and how to reach support Issue description The Account Lockout Analyzer in ADAudit Plus provides administrators with insights into account ...

                    • How to configure an alert for monitoring changes to specific files or folders

                      Objective To guide users through the process of creating an alert in ADAudit Plus that notifies them whenever specific files or folders are modified, accessed, created, deleted, moved or renamed ensuring proactive monitoring and quick response to ...

                      Related Products