You noticed that some lockout events are not tracked even though audit and all settings for NetWrix Account Lockout Examiner have been configured correctly and connection to the required domain controller (DC) and audit setup are shown as OK.
First, make sure the Windows security log on your DC is reachable: connect via Event Viewer and check that events are logged. If the events are written correctly, but NetWrix Account Lockout Examiner still does not track them, do the following:
- On the computer where NetWrix Account Lockout Examiner is installed, open Registry Editor: navigate to Start – Run, enter regedit and click OK.
- In the Registry Editor left pane, navigate to HKLM\Software\Wow6432Node\NetWrix\Account Lockout Examiner, (Wow6432Node only for x64 OS).
- In the right pane, double-click readLog and set its value to 0.
- Create a new DWORD named UseWatcher and set its value to 1.
- Restart the Netwrix Account Lockout Examiner service via the Services snap-in.
If the above doesn’t help, try to change the value of UseWMI registry key to 0