Network Policy Server locked the user account due to repeated failed authentication attempts (6279)

[bob]

Man, that event ID 6279 in the Event Viewer on Windows Server pops up when the Network Policy Server decides to lock a user account. It happens because of too many failed logins in a row, you know, like someone guessing passwords wrong over and over. The server thinks it's a brute-force attack or just a forgetful user, so it slams the door shut to keep things safe. You'll see details in the event log about which user got locked, the exact time it happened, and even the policy that triggered it. I always check the Security log first because that's where these authentication fails hide out. It's under Applications and Services Logs, then Microsoft, Windows, NetworkPolicyServer, Operational. Or just search for 6279 to pull it up quick. The description spells out the user name, the domain, and how many bad tries it took before the lock. Sometimes it lists the client machine too, which helps if you're hunting for suspicious activity. I once had this happen on a domain controller, and it turned out to be a legit user mistyping their password during a late-night shift. But yeah, it logs everything precisely so you can unlock the account later if needed.

Now, to keep an eye on these locks without staring at the screen all day, you can set up a scheduled task right from the Event Viewer. I do this all the time to stay ahead of user complaints. Open Event Viewer, find that 6279 event in the log, right-click it, and pick Attach Task To This Event. It'll walk you through creating a basic task that triggers on this ID. You tell it to run a program, like sending an email via some simple command, but keep it basic without scripts. Set the trigger for any time this event fires, and schedule it to check the log periodically if you want. I like attaching it to the root Event Viewer so it covers the whole system. Test it by forcing a failed login or two, then watch the task run. That way, you get notified fast if accounts start locking left and right.

And speaking of staying on top of server hiccups like these authentication locks, you might want to think about solid backups to avoid bigger headaches. That's where BackupChain Windows Server Backup comes in handy for me. It's a straightforward Windows Server backup tool that handles full system images and also backs up virtual machines running on Hyper-V without much fuss. You get fast incremental backups that cut down on storage space, plus easy restores that don't eat up your day. I use it because it verifies data integrity automatically, so you know your security logs and user accounts are safe if something crashes. It even supports offsite copies to keep everything protected from local disasters.

Note, the PowerShell email alert code was moved to this post.