Hi Randall,
This will be an issue. A lockout occurs on a DC - this could be any DC within your Active Directory.
The lockout property is then synchronized.
But the lockout reason is not stored in Active Directory - in order to see it you need to have appropriate auditing enabled on the DC levels and then actually go to their Security Eventlogs and find the according entry.
https://blogs.technet.microsoft.com/bulentozkir/2009/12/28/active-directory-troubleshooting-account-lockout-information/
In theory it all lockouts might be stored in your PDC eventlogs as well.
Having said this - you would need to look for the according event id's 4740 - this again is a rather time consuming process assuming you would access the security log directly. Especially because you would need to run through all those events and try to identify the most current one with the lockout.
Next you would need to take apart the event entry and try to determine the root cause - or device that caused it.
To add more to the fun - you might have a RADIUS server that points to LDAP - often used for WiFi etc. - well - the lockout might have been caused there - but it was not the RADIUS server host - it was on a client that tried to authenticate against the RADIUS server - this again might have been e.g. a WiFi controller - the controller again wasn't the root cause - it was a client MAC address - cause this would likely be all you get...
Now - it is possible to retrieve all this information and show it. I would not try to gather it from all those various logs in real time - if at all - forward and pre-process those information beforehand - best would be to store them in a database and then if a account is locked out try to determine the according entries in this database - what will be a way less process intensive operation then running through eventlogs etc.. in real time.
The other advantage is - you could send daily reports on this - who was locked out and on what device did this happen - such a report can bring interesting details to light - but it would be independent from PRTG - while PRTG theoretically could use the same database as lockout-reason source.
Hope this helps a little - unfortunately Microsoft does not store such details in Active Directory and therefor it is actually pretty challenging to determine the root cause of a lockout after all.
Regards
Florian Rossmark
www.it-admins.com
Add comment