Windows Server Event: 1210

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

System Event » Windows Server Event: 1210

Event ID 1210: Extranet lockout.

Description AD FS will write extranet lockout events to the security audit log:
  • When a user is locked out (reaches the lockout threshold for unsuccessful login attempts).
  • When AD FS receives a login attempt for a user who is already in lockout state.
Category Active directory Federation service

Reasons to monitor this event:

  • While in log only mode, you can check the security audit log for lockout events.
  • For any events found, you can check the user state using the Get-ADFSAccountActivity cmdlet to determine if the lockout occurred from familiar or unfamiliar IP addresses, and to double check the list of familiar IP addresses for that user.

Event 1210 applies to the following operating systems:

  • Windows Server 2008 R2 and 7
  • Windows Server 2012 R2 and 8.1
  • Windows Server 2016 and 10