This isn't so much of a Splunk question. More of an Active Directory question, but I'm trying to search through our `source="WMI:WinEventLog:Security"` logs from our domain controllers to find locked out users. Most of the time, when a user locks themselves out, we see a log from 1 of our 2 domain controllers. SOMETIMES when a user gets locked out, we get a log from BOTH domain controllers. And they just got locked out once. I'm wondering if anyone has seen this before and knows WHY this happens?
Thanks a bunch
↧