Monitoring Locked Out Accounts

Monitoring Locked Out Accounts

I am currently just starting to work with ManageEngine Eventlog Analyzer, so please forgive me if there's already a forum post with an answer to my question though I did look for one before creating this.

My goal right now is to create an email alert on a Citrix server for when a user account is locked out. Our issue is that the EventID for a locked account is 4625, which is the same for each time a user puts in a password incorrectly. Given that we have a policy that permits a set amount of attempts, this information is useless.

The two factors that differentiate a locked account from a failed attempt are the Status of 0xc0000234 or Task Category of Account Locked Out. My issue is that when I attempt to create a custom alert I see Status as an option, but this does not register 0xc0000234 as an appropriate item, and I don't see the option for Task Category.

I thought that perhaps an alternative method of monitoring the logs on our DCs would resolve this issue, but there appears to be a problem where not all locked out events are being logged on any of the DCs. So that brings me back to directly monitoring our Citrix servers.

Out of curiosity, is it possible that Status for the 0xc0000234 or Task Category options are listed as a different name in the custom alert field? Any assistance that can be offered would be greatly appreciated. Thank you.

              New to ADManager Plus?

                New to ADSelfService Plus?