Real-Time Account Lockout Monitoring with Server Manager

In this article I am going to show you how to configure real-time account lockout monitoring with Corner Bowl Server Manager.

Table of Contents

• How to Add Domain Controllers and Stand-Alone Servers
• How to Configure the Account Lockout Template
• How to Assign Servers to the Template
• Putting it All Together

• Server Manager comes pre-configured with a Real-Time Account Lockout Monitor Template. The template can be found in the Explorer view. Find the root Templates node, then expand Sample Templates then Real-Time Monitors.
• Find the Real-Time Account Lockout Monitor template then right click and select Template Properties. The Event Log Monitor Template Properties View displays.
• The General Tab enables you to schedule the monitor. Since this is a real-time monitor we can see the Real-Time schedule is already applied.
  • If you prefer to be notified in batches you can set the schedule to a frequency that is less than the frequency of the automatic unlock interval as defined in your Windows Account Lockout Policy, for example once a minute if your policy unlocks after 5 minutes.
  • Also, if you want to send notifications to different network administrators during different hours, you can create multiple templates for each time range then create and assign a real-time schedule that only runs during specific times of the day.
    Event Log Monitor General Properties View
• The Logs Tab enables you to select the logs to monitor. In this case we can see the Security Log is already checked.
  Event Log Monitor Event Logs Properties View
• The Columns Tab enables you to define key value regular expressions to pull out multiple variable values. This feature is not necessary for Account Lockout Monitors.
• The Rules Tab defines the filter to apply and the actions to trigger.
  Event Log Monitor Rules Properties View
• If we double-click on the item listed, the Log Monitor Rule Dialog displays.
  Event Log Monitor Rule Dialog
• The pre-configured Account Locked Out Filter is assigned to the Filter Drop-Down.
• If we click the Pencil button to the right, the Account Lockout Monitor Filter Properties Dialog displays.
• The Account Locked Out filter is a simple Event Log filter that looks for all 4740 Success Audit entries.
  Account Lockout Monitor Filter Dialog
• Back in the Log Monitor Rule Dialog, we can see Trigger the action once for every entry that passes this filter is selected. The other options enable you to configure frequency and proximity rules which are not needed for this monitor.
• Down further we can see the monitor state can be set to either OK, Warning or Critical when the filter is triggered.
• Next we see the pre-configured Email - Account Locked Out action is assigned to the Log Monitor Rule.
• If you haven't already assigned email addresses to this action, double-click the action. The Action Properties View displays.
  Account Lockout Monitor Email Notification Properties Dialog
• Use the Recipients Drop-Down to select an email address from the list or type in a new email address not yet configured within this software.
• Use the Subject Text Box to specify the email subject. Notice the value includes a {USER} replacement variable. When executed, this replacement variable is replaced with the name of the locked out account.
• Finally, the last option enables you to throttle emails. Typically you won't want to throttle account lockouts so this option is cleared.
• Back in the Event Log Monitor Template Properties View use the Agent Template Tab to configure this template to use the Agent to remotely execute.
• Use the Actions Tab to assign error and recovery notifications. Errors are triggered when the Domain Controller or other target server can not be reached. Recoveries are triggered when a downed or unreachable server is back up and reachable.

• From the Assignments View, use the Hosts Drop-Down to assign specific servers.
  Assign Individual Servers
• Use the Host Groups Drop-Down to assign an entire group, for example Domain Controllers.
  Assign Domain Controllers Group
• Click Close, then when prompted, save your changes.

• Now back in the Explorer View if we expand one of the domain controllers in the Domain Controllers group we can see the Real-Time Account Lockout Monitor Template assigned to each domain controller.
• Let's see this in action.
• First, let's open a Real-Time Security Event Log Viewer so we can watch all the entries pass though the software.
• Notice, if we expand the template we see the Security Event Log listed.
  Explorer View
  Right click on the Security Event Log and select Watch. The Real-Time Event Log Viewer displays.
  Real-Time Account Lockout Viewer
• Next, trigger the account lockout by entering a bogus password for a real account the number of times required by your group audit policy to lockout the account.
• Once locked out, you should see your email notification which includes the name of the account that was locked out in the subject.
• Also notice the template under the Domain Controller has triggered.
• Right click on the template and select Explore. The Monitor Status View displays.
• Notice the last locked out account is listed in the status and the history view includes all of the recently locked out accounts.
• That's real-time account lockout monitoring with Corner Bowl Server Manager.