For our domain controllers (4 x 2008 R2), we have an account lockout policy:
- Duration: 30 min
- Threshold: 20 attempts
- Reset: after 30 min
We have two views in the event viewer:
- One for Event ID 4625 (invalid attempts)
- One for Event ID 4740 (locked)
For one specific user, we occasionally (once every few months) see a lockout (4740), but no preceding invalid login attempts (4625). On any domain controller. For other users, this is not the case, we see preceding invalid login attempts prior to the lockout
event.
Our audit policy should be sufficient:
Logon/Logoff
Logon Failure
Logoff No Auditing
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server Success and Failure
Regards,
Ruben