1. Run gpedit.msc → Create a new GPO → Edit it: Go to "Computer Configuration" → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies → Account Management:
- Audit User Account Management → Define → Success and Failures.
2. Go to Event Log → Define:
- Maximum security log size to 4gb
- Retention method for security log to "Overwrite events as needed".
3. Link the new GPO: Go to "Group Policy Management" → Right-click domain or OU → Choose Link an Existing GPO → Choose the GPO that you created.
4. Force the group policy update: In "Group Policy Management" right click on the defined OU → Click "Group Policy Update".
5. Open Event Viewer → Search security log for event ID 4767 (A user account was unlocked).
Reference: http://social.technet.microsoft.com/wiki/contents/articles/32929.how-to-detect-who-unlocked-a-user-account-in-active-directory.aspx
0 Comments