Hi
We have a couple of Domain Controllers (Windows Server 2012) in the company and we monitor only the PDC for Event ID 4740 for user account locked out so we can proactively notify the user.
From what I have been reading, this Event ID '4740' is suppose to replicate from other DC to the PDC but somehow we have user accounts being locked out and PDC did not have in the security logs. So I have a few questions in mind:
1) Is Event ID 4740 exclusive only to PDC or other DC can log this event id as well?
2) Should only PDC be monitored or all DCs should be monitored for Event ID 4740? (if other DCs are monitored as well, will this generate a duplicate event id if it is replicated to PDC)?
3) Any other Event ID to monitor for user account locked out?
4) We are on a policy to lockout a user account after three bad password attempts, is there any event ID to lookout for for the third bad password attempt? (Reason I asked is because Event ID 4740 does not get triggered until the fourth bad password entry is attempted even though the account gets locked on the third attempt)?
Thank you