Re: Re: Account locking out
From: Jorge_de_Almeida_Pinto (UseLinkToEmail_at_WindowsForumz.com)
Date: 06/29/05
- Next message: TakaTaka: "Re: Trafico VPN 0 ??"
- Previous message: Preacher Man: "Password Restrictions"
- In reply to: Steven L Umbach: "Re: Account locking out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 29 Jun 2005 14:38:16 -0400
"" wrote:
> I believe if you search the security logs of all the domain
> controllers for
> lockout events ID's that it may show the user account name and
> computer
> name - but not 100 percent sure. Just make sure that you have
> auditing of
> account management enabled in Domain Controller Security
> Policy also. Event
> Comb will be very useful for you in searching the domain
> controller security
> logs for specific event ID's. The other thing you could try is
> to netlogon
> logging on your domain controllers starting with the pdc fsmo.
> There is a
> free tool to parse the netlogon log looking for logon
> failures. The link
> below may help which includes tools to use and a link to a
> white paper on
> account lockouts that also explains netlogon logging. ---
> Steve
>
> http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
> "Molnir" <Molnir@discussions.microsoft.com> wrote in message
> news:4C91D7BA-EF6C-4304-9877-F1810B957758@microsoft.com...
> > I'm on a Windows 2000 domain. We're on a single site with 3
> DCs, all
> > configured as GCs. There are approximately 350 users.
> >
> > We have a service account that's suddenly continually
> locking itself out.
> > I
> > understand that someone somewhere has probably configured
> something to
> > start
> > using the credentials of this account and probably
> fat-fingered the
> > password,
> > but I need to determine this down to a machine if possible.
> We have about
> > 35
> > servers and it will be a huge headache to scour every single
> machine.
> >
> > The security event log doesn't seem to show me the machine
> that the
> > lockout
> > is occurring on. The log is set to have a max size of 100 MB
> and overwrite
> > events as needed; I've exported it to prevent anything
> relevant from being
> > overwritten. The domain auditing policy is as follows:
> >
> > Account Logon Events S, F
> > Account Management S ,F
> > Directory Service Access S, F
> > Logon Events S, F
> > Object Access S, F
> > Policy Change S, F
> > System Events F
> >
> > Any help would be appreciated.
> >
And in addition to what Steven said:
Use the EventCombMT.exe tool, a multithreaded tool, to gather specific
events from event logs from several different computers to one central
location and then search those event logs for specific data of
interest. Some specific search categories are built into the tool,
such as account lockouts, which is already configured to include
events 529, 644, 675, 676, and 681.
Cheers,
-- Posted using the http://www.windowsforumz.com interface, at author's request Articles individually checked for conformance to usenet standards Topic URL: http://www.windowsforumz.com/Security-Account-locking-ftopict551015.html Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1747058
- Next message: TakaTaka: "Re: Trafico VPN 0 ??"
- Previous message: Preacher Man: "Password Restrictions"
- In reply to: Steven L Umbach: "Re: Account locking out"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
