Alert on user account lockout "storm"

sh27

Monitoring for single locked out user accounts is well documented here, mostly using the Windows Server 2008-2012 Domain Controller Security Template, but I'm more interested in the scenario where there's an issue with an application, or even a domain controller, that results in many AD user accounts being locked out around the same time. The idea is to be proactive and look into the root cause before our Helpdesk creates a P1 due to all the calls coming in from users.

Is there a template for this, or can I work the logic into the alert for the component down of the template mentioned above so that it alerts only if the component goes down (an account is locked out) a certain number of times within a time period? For instance, email me when there are 5 accounts locked out within 15 minutes.

jorich

Going back to the Domain Controller Security template you've mentioned - it seems to me the "User Account: Account was locked out" Windows Event Log monitor component should provide just what you need here.  It returns the number of locked out account events per poll, so setting the Warning or Critical thresholds, or changing the Down criteria for "Based on Event Count" should allow you to alert on your desired number of account lockouts in a period that you feel deserves attention - yes?