We have a account lockout rule configured to look for Event ID 4740. We also have a subscription setup for this rule to e-mail our helpdesk.
We would like to tweak the rule/subscription to prevent notification when two domain controllers register the lockout at the same time. Currently, our helpdesk is receiving e-mails for the same lockout from two domain controllers, about 50% of the time.
The alerts are mostly identical except for the Source and Account Name fields which contain the domain controller name.
We cannot filter to a single domain controller because we may miss an account lockout that registers on a filtered DC.
Any assistance is appreciated.
