https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707371#M239269 <P>It depends on what information you have ingested into your Splunk environment.</P><P>Splunk is "just" a data processing tool. You have to feed it with data. If you have your AD logs in Splunk, you can search them but while there might be some people around here who have more experience with MS systems, it's generally more of a AD-related question how to find that info than it is a Splunk Question. You must know what to look for.</P><P>If your data is properly onboarded and CIM-compliant, you can look through Change datamodel (if I remember the syntax correctly)</P><PRE>| datamodel Change Account_Management.Locked_Accounts | search user="whatever"</PRE><P>&nbsp;I'm not sure though if it will only find the lockout event as such or will it contain the reason as well.</P> Fri, 20 Dec 2024 10:59:18 GMT PickleRick 2024-12-20T10:59:18Z https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707351#M239259 <P>there is a user lets say ABC and I want to check why his AD account is locked .</P> Fri, 20 Dec 2024 05:14:32 GMT https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707351#M239259 SN1 2024-12-20T05:14:32Z https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707363#M239264 <P>What information do you have available to you to help you determine this?</P> Fri, 20 Dec 2024 09:43:10 GMT https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707363#M239264 ITWhisperer 2024-12-20T09:43:10Z https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707364#M239265 <P>there is a user , he is saying his account is locked i want to check using splunk what is the cause how can i do that</P> Fri, 20 Dec 2024 09:45:56 GMT https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707364#M239265 SN1 2024-12-20T09:45:56Z https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707367#M239266 <P>What information do you have in Splunk? Which system is the user locked out of?</P> Fri, 20 Dec 2024 10:03:27 GMT https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707367#M239266 ITWhisperer 2024-12-20T10:03:27Z https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707368#M239267 <P>His AD account , windows system</P> Fri, 20 Dec 2024 10:04:40 GMT https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707368#M239267 SN1 2024-12-20T10:04:40Z https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707370#M239268 <P>OK, so what information do you have in Splunk?</P> Fri, 20 Dec 2024 10:55:57 GMT https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707370#M239268 ITWhisperer 2024-12-20T10:55:57Z https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707371#M239269 <P>It depends on what information you have ingested into your Splunk environment.</P><P>Splunk is "just" a data processing tool. You have to feed it with data. If you have your AD logs in Splunk, you can search them but while there might be some people around here who have more experience with MS systems, it's generally more of a AD-related question how to find that info than it is a Splunk Question. You must know what to look for.</P><P>If your data is properly onboarded and CIM-compliant, you can look through Change datamodel (if I remember the syntax correctly)</P><PRE>| datamodel Change Account_Management.Locked_Accounts | search user="whatever"</PRE><P>&nbsp;I'm not sure though if it will only find the lockout event as such or will it contain the reason as well.</P> Fri, 20 Dec 2024 10:59:18 GMT https://community.splunk.com/t5/Splunk-Search/Account-locked/m-p/707371#M239269 PickleRick 2024-12-20T10:59:18Z