Re: auditing 1 AD account

From: Eric Fitzgerald [MSFT] (ericf_at_online.microsoft.com)
Date: 07/08/03 

Date: Tue, 8 Jul 2003 13:18:31 -0700

Blank workstation name usually means the login is coming from a non-windows
machine. Can you send the entire event (there's a copy button when viewing
the event detail).

Eric 

-- 
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation
The above message is provided "AS-IS" with no warranties, and confers no
rights.
"john" <john@nospam.com> wrote in message
news:49c401c34153$6c588f20$a601280a@phx.gbl...
> We currently didnt have auditing on accounts setup.
> However on setting it up I realised it doesnt show the
> workstation name the user is trying to logon at, which is
> critical.  There is just a blank for workstation name
> (see below).  Any idea why?
>
> Thanks for the event comb tool, that saves me serching
> all the DC separately now!
>
>
> 540,AUDIT SUCCESS,Security,Thu Jul 03 12:04:16
> 2003,AD\cmsxgmm,Successful Network Logon:
> User Name: cmsxgmm
> Domain:  AD
> Logon ID:  (0x0,0x82F1606)
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name:
> Logon GUID: (null)
>
>
> >-----Original Message-----
> >I get this all the time. I have users who log into
> >multiple machines, and when it is time to change their
> >password, they invariably forget to log off of a machine
> >(or Terminal Services Session). When they change their
> >password, the "Ghost" logon will continue sending the
> old
> >password, locking out the account.
> >
> >Use Event Comb to scrub your DC Security logs. This will
> >show you at what computer the user accout is being
> locked
> >out. You can also use various tools (Hyena or PSTools)
> to
> >search for users logons on a Domain level.
> >
> >Hope this helps.
> >David Sanders
> >
> >>-----Original Message-----
> >>I have an AD account that keeps getting locked, not due
> >>to user error.  I am suspicious that something/someone
> is
> >>trying to use this account, and the failed logins cause
> >>the account lockout.  Is there a way of auditing this 1
> >>AD account so I can see when an attempt is made to
> logon
> >>using this account, whether success or failure?
> >>
> >>Thanks
> >>
> >>John
> >>.
> >>
> >.
> >