Audit Account Lockout

Applies to

  • Windows 10
  • Windows Server 2016

Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.

If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.

Account lockout events are essential for understanding user activity and detecting potential attacks.

Event volume: Low.

This subcategory failure logon attempts, when account was already locked out.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No Yes No Yes We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory.
Member Server No Yes No Yes We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory.
Workstation No Yes No Yes We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).
This subcategory doesn’t have Success events, so there is no recommendation to enable Success auditing for this subcategory.

Events List:

  • 4625(F): An account failed to log on.