Event ID 6279 – Network Policy Server Locked The User Account Due To Repeated Failed Authentication Attempts
|Sub-Category||Audit Network Policy Server|
|Description||The network policy server locked the user account due to repeated failed authentication attempts.|
Events which are audited under the Audit Network Policy Server sub-category are triggered when a user's access request are related to RADIUS (IAS) and Network Access Protection (NAP) activity. The requests are of the following types: Lock, Unlock, Grant, Deny, Discard, and Quarantine.
Every IAS and NAP user access request generates an audit event if the Network Policy Server auditing is configured, and if the NAS and IAS roles are installed on the server.
Example of 6279 log:
Network Policy Server locked the user account due to repeated failed authentication attempts.
Security ID: %1
Account Name: %2
Account Domain: %3
Fully Qualified Account Name: %4
Why does event ID 6279 need to be monitored?
On servers that run Network Policy Server (NPS), the event volume ranges from medium to high. NAP events help understand the overall health of the network, and hence must be monitored.
With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks all network policy server events, helping you meet your security, operational, and compliance needs with absolute ease.
Event 6279 applies to the following operating systems:
- Windows Server 2016
- Windows 10