This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Difference in SAM Application Event ID monitoring for User Account locked out monitoring?

Hi All,

What is the difference between:

Windows PowerShell Monitor: User Account: Account was locked out
Windows Event Log Monitor: Locked out users

How to troubleshoot this issue so it can send out an email with the event body consistently?

I have already included the event log body into the email alert like using ${N=SwisEntity;M=ComponentAlert.WindowsEventMessages}
However, some of the email alert triggered properly with the meaningful Event ID body, but not consistently on both.

  • I think you have listed the types are around the wrong way.

    Windows PowerShell Monitor - Locked Out Users

    This returns a count and list of the currently locked out users. This component monitor uses PowerShell to search AD for locked out accounts, and doesn't use the event log at all. The WindowsEventMessages variable won't return anything for this monitor type.

    Windows Event Log Monitor - User Account: Account was locked out

    This monitors the recent Security event logs and returns the specific event when an account gets locked out.