Ive been trying to find a monitor to let me know when an account has been locked out. Ive seen some monitors for one specific account, is there anything out there that covers all of active directory? or monitors from LDAP?
You could leverage Log and Event Manager
Or you could write a custom api that uses account lockout finder to dump that information into Solarwinds
We use LEM for this - it creates an alert that populates the LEM console and also emails appropriate parties with the locked-out account name, DC from which it originated, and timestamp.
EDIT - we also collect information on failed logins along with this. This helps in finding out the source computer or device where the failures and eventual lockouts originate.
The failed logins are really really important to catch... glad you brought that up rharland2012
I find this very useful in detecting anomalies ..... for instance .. my outside Engineer... just last night.... failed authentication multiple times to the VPN .. ... it only took me a couple of minutes to figure out what was going on .. nice to have those notifications sent on failed attempts; you can put issues to bed rather quickly!!! Think about all the possibilities that stem from failed attempts .... hacker ... bad employee messing with another employee.... and then there is just pure evil!!!
