Hi, Through experimentation and per Red Hat tech support when the deny=x switch is set in /etc/pam.d/login as below auth required pam_tally2.so deny=5 onerr=fail the lockout happens at 5 failed attempts, but the audit trail does not record it until the next try. Does the audit system provide a way to show that the lockout has occurred when the deny number is reached? Ideally this would be some system log that uses a variation of "Account locked" Thanks! ____________________________________________ Steve M. Zak, -- This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com