User Account Lockouts and Unlocks are missing and the corresponding reports are empty, even though some accounts are known to have been locked/unlocked in the selected period.
Daily summary reports also do not show any lockouts or unlocks.
The most common reason for this issue is disabled Audit Account Management policy or some conflicts in policies.
Account lockouts, unlocks and Password resets are event-based changes which means that if the audit setting is disabled account lockouts will be detected but will not be included into reports or trigger alerts because there are no corresponding auditing events.
In order to resolve the issue we need to make sure that audit policy is configured correctly.
In the corresponding Group Policy Object (or Local policy if you configured auditing there)
- Go to Computer Configuration – Policies – Security Settings – Local Policies – Audit Policy
- Make sure Audit Account Management is set to Success
If you use Advanced Audit Policy please check the following setting:
- Go to Computer Configuration – Policies – Security Settings – Advanced Audit Policy Configuration – Audit Policies – Account management
- Make sure Audit User Account Management is set to Success
Even if Group Policy Object is configured correctly there might still be some conflicts that prevent GP from applying correctly.
To find out the effective audit policy on a DC, execute the following command
auditpol /get /category:*
In the output check that User Account Management is set to Success
For more information on Group Policy and related issue refer to the following articles: