Monitored Event IDs
Netwrix Account Lockout Examiner monitors invalid logons and lockouts.
Here is the detailed list of monitored events:
| Windows Vista/2008/7/2008R2 | Windows XP/2003 | Type | Description |
|---|---|---|---|
4771 | 675 | Failure | Invalid Kerberos logon - Kerberos ticket request failed |
4776 | 680,681 | Failure | Invalid NTLM logon - failed NTLM authentication attempt |
4740 | 644 | Success | An account was locked out |
4767 | 671 | Success | An account was unlocked |
4625 | 529-539* | Failure | An account failed to log on - actual invalid logon event |
*In Windows XP/2003 actual invalid logons can be logged as any of 10 events with IDs between 529 and 539