question

SidikiCAMARA-8584 avatar image
0 Votes"
SidikiCAMARA-8584 asked DaisyZhou-MSFT commented

Why the process information is empty in audit policy tracking

Hello dear community,

I have enabled my DC to log 'audit process tracking ' in local policies: success and failure.
the goal is to identify the process locking out accounts.
i'm able to filter out events on 4625 but for some reasons the field 'caller process name' is empty.

can anyone suggest me a step to resolve this ?

PS: For test purpose, i typed wrong password many times on a web application portal that use AD accounts. The account gets locked but no process name. I even tried locking the account through shares in vain.

Thank you.

windows-server-security
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello anonymous user,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

1 Vote 1 ·

Hello,

Hope you're doing great.
Sorry for the late response.
Unfortunately i still do not see the porcess name. I did follow the instructions.

0 Votes 0 ·

Hello anonymous user,

Can you see the Event ID 4771 and event ID 4740 or Event ID 4776 and event ID 4740 on DC when the account is locked out?

Best Regards,
Daisy Zhou


0 Votes 0 ·

Hello anonymous user,
I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
Thanks for your time and have a nice day!

Best Regards,
Daisy Zhou

0 Votes 0 ·

1 Answer

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello anonymous user,

Thank you for posting here.

For troubleshoot account lockout, we can try the following steps.


1.Create the first GPO and link it to one OU with all DCs.
Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Account Logon Events – Failure
Audit Account Management - Success and Failure

Or use advanced audit policies (by default, once there is any advanced audit policy configured, advanced audit policies will overwrite Legacy audit policies, if you have not configured any advanced audit policy, you only need to configure Legacy audit policies):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
Account Logon:
Audit Kerberos Authentication Service - Failure
Audit Credential Validation – Failure

Account Management:
Audit User Account Management – Success and Failure


2.Create the second GPO and link it to one OU with the servers or clients that users logon (here the user accounts were locked out). You can also set it via local group policy if you have only one client for testing.

Legacy audit policy:
Computer Configuration\Windows settings\security settings\local policies\audit policy
Audit Logon Events – Failure
audit process tracking – Failure

Or use advanced audit policies (by default, once there is any advanced audit policy configured, advanced audit policies will overwrite Legacy audit policies , if you have not configured any advanced audit policy, you only need to configure Legacy audit policies):
Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
Logon/Logoff:
Audit Account Lockout – Failure
Audit Logon – Failure

Detailed Tracking:
Audit Process Creation – Failure
Audit Process Termination – Failure

3.We can run the following commands on the domain controllers and client to force the refresh policy and check whether the related audit policy settings are enabled:

gpupdate /force
auditpol /get /category:*


If the account is locked out again or after you reproduce the account locked out issue, we can check the Event ID 4771 and event ID 4740 or Event ID 4776 and event ID 4740 on DC.

We can check if there is Caller Computer Name information via Event ID 4740 on DC.

We can check if there is Caller Computer Name information or Caller Process Name information via Event ID 4625 on user logon client.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.



Best Regards,
Daisy Zhou

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.