Event ID 4740 (Account locked out) not replicating to PDC

hi

we have couple of domain controllers (windows server 2012) in company , monitor pdc event id 4740 user account locked out can proactively notify user. 

from have been reading, event id '4740' suppose replicate other dc pdc somehow have user accounts being locked out , pdc did not have in security logs. have few questions in mind:

1) event id 4740 exclusive pdc or other dc can log event id well?

2) should pdc monitored or dcs should monitored event id 4740? (if other dcs monitored well, generate duplicate event id if replicated pdc)?

3) other event id monitor user account locked out?

4) on policy lockout user account after 3 bad password attempts, there event id lookout for third bad password attempt? (reason asked because event id 4740 not triggered until fourth bad password entry attempted though account gets locked on third attempt)?

thank you

>1) event id 4740 exclusive pdc or other dc can log event id well?
>2) should pdc monitored or dcs should monitored event id 4740?
 
far know, actual lockout event logged on dc holding pdc emulator fsmo role. dc 1 processes account lockout requests accounts in domain. query security logs 4740 events on pdc.
 
>3) other event id monitor user account locked out?
 
troubleshoot account lockout, might want enable more auditing @ both domain , client level. please refer technet more details audit settings , relevant event ids:
 
https://technet.microsoft.com/en-us/library/cc776964(v=ws.10).aspx
 
(note, link windows server 2003, event ids might updated after windows server 2008 system. please check this spreadsheet latest security audit events: https://www.microsoft.com/en-us/download/details.aspx?id=21561)
 

regards,

ethan hua

---

please remember mark replies answers if help, , unmark answers if provide no help. if have feedback technet support, contact tnmff@microsoft.com

Windows Server  >  Directory Services