September 28, 2016

GPO - How to Detect Who Unlocked a User Account in Active Directory

1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management:
  • Audit User Account Management → Define → Success and Failures.
2. Go to Event Log → Define:
  • Maximum security log size to 4gb
  • Retention method for security log to "Overwrite events as needed".
3. Link the new GPO: Go to "Group Policy Management" → Right-click domain or OU → Choose Link an Existing GPO → Choose the GPO that you created.
4. Force the group policy update: In "Group Policy Management" right click on the defined OU → Click "Group Policy Update".
5. Open Event Viewer → Search security log for event ID 4767 (A user account was unlocked).



Post a Comment