It takes a long time for account lockouts to be reflected in NetWrix Account Lockout Examiner (ALE).
This might happen if ALE is set to monitor the Primary Domain Controller (PDC) only. If an account gets locked on a different domain controller, it takes time for the lockout event to replicate to the PDC, and this causes the delay.
Another possible reason is very high activity in your domain that generates more events per second than the product can handle. As a result an event queue and a delay occurs.
To fix the issue, set the product to monitor all DCs in the monitored domain and change event processing method.
To change to all DCs mode this, perform the following steps:
- In NetWrix Account Lockout Examiner navigate to File > Settings > Managed Objects.
- Select your domain and click Edit.
- Select all DCs radio button and click OK to save the changes.
To change event processing method:
- Open the Registry Editor (navigate to Start > Run and type regedit).
- Navigate to HKEY_LOCAL_MACHINE > SOFTWARE > NetWrix > Account Lockout Examiner (Wow6432Node only for x64 OS)
- Locate the ‘readlog’ key and set its value to 0.
- Create a new value called ‘UseWatcher’, set its type to DWORD and value to 1.
- Restart NetWrix Account Lockout Examiner Service via services.msc