In this article:  

• Issue description

• Prerequisites

• Possible causes

• Resolution

• Related topics and articles

• When and how to reach support

Issue description  

The Account Lockout Analyzer in ADAudit Plus provides administrators with insights into account lockouts, including the cause, source, and frequency of lockout events. This feature helps IT teams quickly identify misconfigured applications, outdated credentials, or unauthorized access attempts causing repeated lockouts. However, in some cases, the Account Lockout Analyzer may fail to display any data or trace the lockout source. This issue typically arises due to insufficient auditing configurations, lack of necessary permissions, or communication failures between ADAudit Plus and Domain Controllers.

Prerequisites  

Before troubleshooting, verify that the following prerequisites are met:

• Audit Policy should be configured as per our recommendations.

• Category: Account Management

• Subcategory: Audit User Account Management

• Audit Events: Success and Failure

• The Service Account must have Domain Admin privileges to query the top 9 components.

• IIS should be enabled on the ADAudit Plus server, and IIS logging must be configured on the Exchange Server where the Client Access Server role is enabled.

Possible causes  

• The 4740 event (account lockout event) might not have been captured in the Event Viewer of the Domain Controller.

• ADAudit Plus has not collected the event due to misconfigured audit settings.

• The Service Account does not have Domain Admin privileges to query the machine remotely.

• IIS logging is not configured correctly on the Exchange Server with the Client Access Server role enabled.

Resolution  

Step 1: Verify 4740 event in event viewer  

1. Open Event Viewer on the Domain Controller.

2. Navigate to Windows Logs > Security.

3. Search for Event ID 4740.

4. If the event is missing, review the Audit Policy configuration and ensure account lockout events are being logged.

Step 2: Provide domain admin privileges  

1. Open ADAudit Plus.

2. Navigate to Domain Settings.

3. Select the domain and click Modify Credentials.

4. Enter the credentials of an account with Domain Admin privileges.

Step 3: Enable IIS on ADAudit Plus server  

1. Click Start, open Control Panel.

2. Select Programs, then click Programs and Features.

3. Click Turn Windows features on or off.

4. Expand Internet Information Services (IIS) and Web Management Tools.

5. Expand IIS 6 Management Compatibility.

6. Select IIS Metabase and IIS 6 configuration compatibility, then click OK.

Step 4: Configure IIS logging on exchange server  

1. Open IIS Manager on the Exchange Server where the Client Access Server role is installed.

2. Expand Server > Sites > Default Web Site.

3. Double-click Logging.

4. Set Log File Format to W3C.

5. In W3C Logging Fields, configure the required options.

6. Ensure "Use the local time for file naming and rollover" is unchecked if your time zone is not GMT.

Related topics and articles  

• Audit Policy Configuration Guide

• Event Collection Troubleshooting

• Installing and Configuring IIS

How to reach support