In some cases, Change Auditor is showing a an incorrect source computer for a Locked Out Event
This issue is not caused by Change Auditor but by the way the event is created in Active Directory
Change Auditor Agent uses a DLL Hook to capture data directly from LSASS.exe
This data come directly from Active Directory, for example so when a Locked Out event is generated on a Domain Controller
When a Locked Out event occurs, Change Auditor sees an attribute change to the User Object lockouttime
CA Agent determines then the Origin based on the Caller Computer in the lockouttime modification
This process mirrors the way Windows Event logs works (i.e: ID 4740)
This is per design
How to identify the Origin of the Locked Out Event
© 2024 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center