Alert on Excessive Logon Failures


This policy will run a predefined action or actions when excessive logon failures are detected on a remote computer.

  • Logon Failure Count Threshold:

  • Frequency:

  • Detection Action(s):

  • Include Logon Type 3:

This controls the desired number of logon failures, or threshold of this policy.  To edit, click and hold the slide control and move the mouse left or right to decrease or increase the threshold.

These three radio buttons control the rate at which the threshold is evaluated.

This group of switches sets the action or actions that will be taken on the remote in the event the desired failed logon threshold is exceeded.  Regardless of selection, an alert ticket will also be generated.

By default, this policy will ignore failed network authentication requests.  Enable this checkbox to override the default setting and include Logon Type 3 failures when counting total logon failures.


The Detection Actions are detected and initiated by the monitor.  As such, there may be a small delay between the final failed logon and the detection action.

If Isolate is selected and is activated, the remote computer can be un-Isolated from the computer screen by using the 'Restore Network' button.

Video:  coming soon

Date: 1/28/2018