Good afternoon! I inherited the AD domain infrastructure based on Windows Server 2016. There are over 1000 users in the AD database and a password change policy is configured every 90 days, people may have more than one device. There are very frequent situations when an account begins to be blocked on some device, I found a list of event IDs, I want to understand if I deploy this monitoring system, will I be able to timely receive and see the overall picture from these logs, will the elastic be able to parse them , are there any ready-made templates for this. I want to point out that I’m new here, so please don’t be strict.
For sure it can help you. But you could try with simple way at the beginning. You could grab those data then parse needed information from them and keep it in excel as well.
Additionally please check the settings in GPO of your environment. There is dedicated settings which will make prompt message for each user where there is near end of their password expiration date as well as there is setting which will force them to change their password for the next logon before it expires