Some large domains experience a ton of non legitimate account lockouts so using the SSC Security MP for Windows 2008 servers can get very noisy for account lockout events.
I have successfully created a rule to just pick out an “Altiris” related account and here are the steps.
1. Create an Event Rule based on 4740 Account Lockout Event and add an Expression with Event Source parameter specified as “Parameter 3” Contains “Altiris”.
This will send all Account lockout events for the user Altiris. Parameter 3 is the User filter in the 4740 event.
Recent Comments