How does Netwrix Account Lockout Examiner work

Account Lockout Examiner
Copy Article URL Copied

NetWrix Account Lockout Examiner tracks account lockouts in real time, enables proactive lockout resolutions, and helps administrators to effectively troubleshoot account lockouts.
Account Lockout Examiner is able to determine the origins of lockouts and show detailed information about specified lockouts and invalid logons.
Refer to Administrator’s guide in order to get information about installation and setting up of NetWrix Account Lockout Examiner

The Account Lockout Examiner tool processes Windows security logs without using agents so that the audit policy in the domain be setup, according to the requirements of the tool.
Configuration of the audit policy is described in the admin guide and this KB:

Since Windows Security log is the only source, Accoount Lockout Examiner is able to show only the information that is present in the log.

After Account Lockout Examiner finds a lockout event, it adds the information about account lockout to the list in the Summary tab. Administrator can investigate an account lockout with the help of the Examination feature. To run an examination, an administrator clicks the Examine button at the bottom of the list in the Summary tab, or right-clicks an account and select Examine. Examination shows a list of invalid logons, specifies the names of the processes that have used invalid credentials, and checks the most common reasons of lockouts: mapped drives, scheduled tasks, RDP sessions, and services running under credentials of the account in question.

Examination results look like this:

User-added image

For more details on interpreting the reults refer to the Administrators guide.

Go Up