Shulou(Shulou.com)06/03 Report--

Problem description: the AD account is locked frequently, and the relevant locking log records cannot be found in the system.

Process: verify that logging is turned on by:

Run cmd as an administrator on the AD server, enter the command, netdom query fsmo, and view the PDC server role

Log in to the PDC server, run cmd as an administrator, and enter the command: auditpol/get / category:* to make sure the audit policy is turned on

If the policy is enabled, look for event ID4740 in the security log of the system log

Check to see if locked event logs can be searched

If there is no event logging, or if auditing is not turned on, turn on event auditing in PDC's local policy and turn on Local Security Policy on the PDC server.

Ensure that the following event audit is turned on

ID description of other related events

Account unlocked, event ID4767

User credential authentication, event ID4776

8. Through the above check, it is found that after the audit policy is set in the group policy, the AD server uses the command auditpol/get / category:* to check that the system audit policy is still not enabled.

9. Check other servers and find that the system audit policy is not enabled by the command auditpol/get / category:*

Solution:

=

1. Rebuild the audit policy group policy applied by the AD domain control, verify the status of the AD audit policy after reconstruction, lock the client account login, and log records are normal.

two。 Check that the system audit policy status on other windows servers is still no audit state. After enabling the advanced audit policy in group policy, check that the audit status of other servers is normal through the command auditpol/get / category:*.

3. The difference between audit policies and advanced audit policies is that advanced audit policies are more selective in quantity and type, and more flexible in configuration. Refer to: https://technet.microsoft.com/en-us/library/ff182311(v=ws.10).aspx#BKMK_2

4. Both the audit policy and the advanced audit policy are used. If you want to stop the advanced audit policy, you need to do the following:

The following policy is set to disabled and enabled by default when there is no defined state

Then use auditpol / clear to clear the current audit policy

Delete audit.csv files manually

Path:

% systemroot%\ system32\ grouppolicy\ machine\ microsoft\ windows nt\ audit\ audit.csv

% systemroot%\ security\ audit\ audit.csv

Disable the advanced audit policy settings, and verify that the audit policy is valid after it is disabled

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.