Products Affected

ELM Enterprise Manager 5.x, Log Monitor 5.x, Log Manager 5.x, ELM Enterprise Manager 6.x

Symptoms

System Admin wants to monitor locked and unlocked user accounts.

Considerations

  • Windows requires a certain security policy setting before it’ll create the events that you are looking for.
    This setting is located in secpol.msc under Local Policies | Audit Policy | Audit account management, the settings should be set for both Success and Failure.
  • The resolution given below assumes a Windows 2003 and earlier event. The process is the same for a Vista, Windows 7, Windows 2008 style event though the message field will have different text.

Resolution

You will need to setup a monitor to collect the events for the locked and unlocked user accounts.

  • In the ELM console | Monitoring | All Monitors, enabling the default monitor “Sample Event Collector – All Events” and selecting the monitor group that you want to report on (by default it is the Windows — Servers)

If the above solution generates too many events for you, create a new monitor item and assigning it to the monitor group that you want to report on.

  • In ELM Log Manager | Monitoring right click All Monitors and select New | Monitor Item.
  1. Click next, then select Event Collector from the drop down box, and select Next.
  2. In the “Event Filter Definition” dialogue box, enter Account Management in the “Category is:” field and enter *User Account Locked*|*User Account Unlocked* in the”Message contains:” field. Uncheck all but Success and Failure and select Next.
  3. You can run a test on the “Test Monitor Item” dialogue box, then select Next.
  4. On the “Agent Categories” dialogue box, select the monitor group that you want to monitor and select Next.
  5. Select your preferences on the schedule on the “Schedule” dialogue box and select Next.
  6. Enter the name (Security — User Account Locked, Unlocked) and description in the “Monitor Name and Description” dialogue box and select Finish.

Revision 1.1

Last Modified:  12/2/2010

Last Reviewed:  12/2/2010

Article Type:  Informational