Re: Account locking out
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/28/05
- Previous message: Molnir: "Account locking out"
- In reply to: Molnir: "Account locking out"
- Next in thread: Molnir: "Re: Account locking out"
- Reply: Molnir: "Re: Account locking out"
- Reply: Jorge_de_Almeida_Pinto: "Re: Re: Account locking out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Jun 2005 09:55:10 -0500
I believe if you search the security logs of all the domain controllers for
lockout events ID's that it may show the user account name and computer
name - but not 100 percent sure. Just make sure that you have auditing of
account management enabled in Domain Controller Security Policy also. Event
Comb will be very useful for you in searching the domain controller security
logs for specific event ID's. The other thing you could try is to netlogon
logging on your domain controllers starting with the pdc fsmo. There is a
free tool to parse the netlogon log looking for logon failures. The link
below may help which includes tools to use and a link to a white paper on
account lockouts that also explains netlogon logging. --- Steve
"Molnir" <Molnir@discussions.microsoft.com> wrote in message
news:4C91D7BA-EF6C-4304-9877-F1810B957758@microsoft.com...
> I'm on a Windows 2000 domain. We're on a single site with 3 DCs, all
> configured as GCs. There are approximately 350 users.
>
> We have a service account that's suddenly continually locking itself out.
> I
> understand that someone somewhere has probably configured something to
> start
> using the credentials of this account and probably fat-fingered the
> password,
> but I need to determine this down to a machine if possible. We have about
> 35
> servers and it will be a huge headache to scour every single machine.
>
> The security event log doesn't seem to show me the machine that the
> lockout
> is occurring on. The log is set to have a max size of 100 MB and overwrite
> events as needed; I've exported it to prevent anything relevant from being
> overwritten. The domain auditing policy is as follows:
>
> Account Logon Events S, F
> Account Management S ,F
> Directory Service Access S, F
> Logon Events S, F
> Object Access S, F
> Policy Change S, F
> System Events F
>
> Any help would be appreciated.
>
- Previous message: Molnir: "Account locking out"
- In reply to: Molnir: "Account locking out"
- Next in thread: Molnir: "Re: Account locking out"
- Reply: Molnir: "Re: Account locking out"
- Reply: Jorge_de_Almeida_Pinto: "Re: Re: Account locking out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
