What if you need to find out if a user account was locked out. You take a look in the Event Viewer of a Domain Controller, right?

Finding a locked out user account is a typical thing you can’t do with the basic filtering en search of the Event Viewer only. You can filter on Event ID 4740 though, but that’s about it… Busy domain controllers will still bring you events of many different users.

event-viewer-manymany


Because the username of the locked out account stands in the details pane (which you can’t search on) you’ll need some advanced XML filtering.

event-viewer-targetusername


……unless you want to scroll down and search till your finger hurts. 🙂

Let’s Get Started!

Step 1:

Open the Event Viewer and go to the security log of Windows.

event-viewer


Step2:

Click on “Filter Current Log…” in the actions pane.

event-viewer-filter-current-log


Step3:

Go to the XML tab and select “Edit query manually”. Click “Yes” to confirm.

event-viewer-filter-xml-confirm


Step4:

Fill in the following query (change the word “helpdesk” with the username you’re searching for):

<QueryList>
	<Query Id="0" Path="Security">
		<Select Path="Security">
			*[System[(EventID=4740)]]
			and
			*[EventData[Data[@Name='TargetUserName'] and (Data='helpdesk')]] 
		</Select>
	</Query>
</QueryList>

Shape the code up a little bit to make it more readable and it will look something like this:

event-viewer-filter-xml-query


Press “OK” to apply the filter.

Don’t worry if you smell any smoke, this might take a while… (depending on the total amount of events).

Result:

7 Events instead of a million! Isn’t that great?

event-viewer-result


For more info, please visit:
http://blogs.technet.com/b/askds/archive/2011/09/26/advanced-xml-filtering-in-the-windows-event-viewer.aspx.

Good Luck!