2 Replies Latest reply on Nov 6, 2015 7:46 AM by rcsteve

    NewB question re: Account Lockout


      I will admit I am a newbe and I just set up my LEM several days ago.  I am getting email alerts on events that were set up automatically by a wizard.  One of the rules is an account lockout.  I am receiving an email every night about one of my user accounts getting locked out at the same time every night.   Here is my question:


      How do I go back into the LEM to find the detail on that event?  If I am understanding the LEM, the events shown via the filters are events that happened only while I had the LEM open.  How do I go back historically and find that event?


      Hopefully I am making sense and someone can enlighten me.




        • Re: NewB question re: Account Lockout
          nicole pauls

          Two ways - search or reports. (You might also update the email template to send more details about that event, or choose a different email template that shows more detail, that way when the email gets sent it's automatic.)


          If you open up nDepth (Explore > nDepth) you can search for that event, either by type or some information like the account name. The account name might be useful because then you could see the logon failure events that come before it, too. What you're really looking for in the Disable event itself is the reason, then in the logon failures the FailureReason and LogonType fields (e.g. if FailureReason is bad password and LogonType is service, you know you have an account tied to a service whose password is wrong).