No announcement yet.

Know when a session is being locked.

  • Filter
  • Time
  • Show
Clear All
new posts

  • Know when a session is being locked.


    Is there a way to know when a user lock his session in Windows XP Pro ? I tried configuring some audit, but it doesn't show when the user locks the account, it only shows when the user log back into his session.



  • #2
    Re: Know when a session is being locked.

    Trep, we need a little more information.

    Is the XP computer trying to log into a domain, or are they trying to log on locally?

    If it's a domain, there are many ways through group policy to control how long a session stays locked out, in fact indefinitly if you like. The simplest answer to your question is, yes, there is a way to know when a user is locked out. They just can't log in, but if they wait 10 minutes (if I remember correctly by default) then they can log back in with the proper password. Are you trying to monitor unsuccessful hacking attempts? What is your main goal more specifically? In the mean time I will try to lock out an acct. on my domain and see what events come up in the event viewer. I'm sure there is an event that can be logged.


    • #3
      Re: Know when a session is being locked.

      Follow up to yesterdays comments. Good News!

      I went to the Default Domain Group Policy in AD, Windows Settings, Security Settings, Local Policies, Audit Policy, Audit account logon events, and clicked “Define these policy settings”, “Failure-only”, and did the same for Audit logon events. My account lock-out policies are 6 failed attempts locks you out for 5 minutes.

      I went to a computer, put in 6 wrong passwords, it locked me out with a message saying so. Looked at the event viewer on the domain controller and there were no failed events, however, connected to the computer where the failed attempts were made, and saw all the failed events, including the last one which explicitly states, “account locked-out”.

      Three points: After making the group policy changes, gpupdate /force didn’t work, but waiting 90 minutes for GP propagation did work. Second point, I would have thought the errors would show up on the domain controller pointing to the computer name of the failed attempts, but they only showed up on the local machine. Does anyone else know why? Third point, I imagine if your computer is not on a domain, then make those policy changes to local group policy and you would have the same results.

      Good Luck, Will