In this article:

• Objective

• Prerequisites

• Steps to follow

• Validation and confirmation

• Tips

• Related topics and articles

Objective  

This guide offers step-by-step instructions for configuring an exclusion rule for specific user accounts in account lockout event monitoring, enabling administrators to minimize false positives and concentrate on critical lockout events.

Prerequisites  

• Have access to the ADADAudit Plus web console.

• Have an administrator role or a technician account with delegated permissions to create a Global Exclude Rule.

• Have access to the Event Viewer on the domain controller where the lockout is being recorded.

Steps to follow

1. Log in to the ADAudit Plus web console as an administrator or with a technician account with delegated permissions to create or modify alerts.

2. Go to the Configuration tab, expand the Configuration section in the left pane, and select Global Exclude Configuration.

3. Click Add Exclude Rule

4. Enter the event number 4740 in the field labeled Event Number.

5. Set the Variable Name as Account Name from the drop-down menu.

6. Set the Operator as Equals.

7. Enter the Account Name in the value section exactly as it appears in the actual event. To retrieve the correct account name, refer to event ID 4740 in the Event Viewer of the corresponding domain controller.

• Use RDP to remote into the domain controller where the account lockout is recorded.

• Open the Event Viewer and navigate to Windows > Security Logs.

• Filter for Event ID 4740.

• Select the relevant event and enter the Account Name exactly as captured in the event.

8. Save the configuration.

9. Restart the ADAudit Plus service to apply the configuration changes.

• Remote into the server where ADAudit Plus is installed.

• Open services.msc.

• Locate the ManageEngine ADAudit Plus service and restart it.

Validation and confirmation

After configuring the global exclusion rule and restarting the ADAudit Plus service, monitor ADAudit Plus to verify that the account lockout for the excluded user is being excluded.

Note: The configured rule will only apply to events generated after its creation and will not apply for any existing events. 

Tips

• Use exclusion rules only when necessary.

• Use precise matching values. Ensure the event number or account name value entered in the exclude rule exactly matches the format in the Event Viewer.

Related topics and articles

• No data is available in Account Lockout Analyzer report