how to track where user attempts login

[David H]

I have an admin equivalent account that I recently had to change the
password for due to a change in personnel. The admin account now gets locked
out due to excessive failed logon's on an occasional basis. How can I track
from where that account is trying to be accessed?

Thanks,
David H

[Eric the IT Novice]

Not sure about where you would find THAT info, but here is
a suggestion. Change the name of the account that is
getting locked out.

Whoever is accessing the account won't be able to lock it
out if they don't know the account name.

Hope this helps.

>-----Original Message-----
>I have an admin equivalent account that I recently had to

change the

>password for due to a change in personnel. The admin

account now gets locked

>out due to excessive failed logon's on an occasional

basis. How can I track

>from where that account is trying to be accessed?
>
>Thanks,
>David H
>
>
>.
>

[Chris]

Hi,

Assuming your GPO are setup to audit logon events, you will be able to find
the "login denied" events in the Event logs "Security"of all your DC.

This means you wil lahve to have a look on each of your DC to know from what
machine is coming the wrong logon.

Hope this helps.

Rds,
Chris


"David H" <dhigginbotham@hazenandsawyer.com> wrote in message
news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...

> I have an admin equivalent account that I recently had to change the
> password for due to a change in personnel. The admin account now gets

locked

> out due to excessive failed logon's on an occasional basis. How can I

track

> from where that account is trying to be accessed?
>
> Thanks,
> David H
>
>

[Doug Sherman [MVP]]

If you audit for account logon failure, the Security log in Event Viewer
will show the source machine for the logon attempt. You will need to enable
this in the domain controllers OU.

Doug Sherman
MCSE Win2k/NT4.0, MCSA, MCP+I, MVP

"David H" <dhigginbotham@hazenandsawyer.com> wrote in message
news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...

> I have an admin equivalent account that I recently had to change the
> password for due to a change in personnel. The admin account now gets

locked

> out due to excessive failed logon's on an occasional basis. How can I

track

> from where that account is trying to be accessed?
>
> Thanks,
> David H
>
>

[David H]

Thanks Doug and all,

This sounds like what I need to do. Would you please tell me how to enable
this in the domain controllers OU? Or point me to a KB article or something?
Thank you very much for your help. This forum almost always has the answers.

Thanks,
David
"Doug Sherman [MVP]" <dsherman@nospam.tampabay.rr.com> wrote in message
news:uN93k5qXEHA.3516@TK2MSFTNGP09.phx.gbl...

> If you audit for account logon failure, the Security log in Event Viewer
> will show the source machine for the logon attempt. You will need to

enable

> this in the domain controllers OU.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
>
> "David H" <dhigginbotham@hazenandsawyer.com> wrote in message
> news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...

> > I have an admin equivalent account that I recently had to change the
> > password for due to a change in personnel. The admin account now gets

> locked

> > out due to excessive failed logon's on an occasional basis. How can I

> track

> > from where that account is trying to be accessed?
> >
> > Thanks,
> > David H
> >
> >

>
>

[Chris]

Hi,

I would be you, I would modifiy the Domain Controler defaut GPO, as It's
kind of security basic to audit logon event.

Rgds


"David H" <dhigginbotham@hazenandsawyer.com> wrote in message
news:OulIrNrXEHA.3112@tk2msftngp13.phx.gbl...

> Thanks Doug and all,
>
> This sounds like what I need to do. Would you please tell me how to enable
> this in the domain controllers OU? Or point me to a KB article or

something?

> Thank you very much for your help. This forum almost always has the

answers.

>
> Thanks,
> David
> "Doug Sherman [MVP]" <dsherman@nospam.tampabay.rr.com> wrote in message
> news:uN93k5qXEHA.3516@TK2MSFTNGP09.phx.gbl...

> > If you audit for account logon failure, the Security log in Event Viewer
> > will show the source machine for the logon attempt. You will need to

> enable

> > this in the domain controllers OU.
> >
> > Doug Sherman
> > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> >
> > "David H" <dhigginbotham@hazenandsawyer.com> wrote in message
> > news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...

> > > I have an admin equivalent account that I recently had to change the
> > > password for due to a change in personnel. The admin account now gets

> > locked

> > > out due to excessive failed logon's on an occasional basis. How can I

> > track

> > > from where that account is trying to be accessed?
> > >
> > > Thanks,
> > > David H
> > >
> > >

> >
> >

>
>

[Doug Sherman [MVP]]

Open AD Users and Computers, Right click on the Domain Controllers OU, and
select Properties. Click the Group Policy tab, click the Edit button.
Under Computer Configuration, expand Windows Settings, expand Security
Settings, expand Local Policies, click on Audit Poliocy. Double click on
Account logon Events, check the box for Define these policy settings and
check the box for Failure.

The result is that every domain controller in the domain that authenticates
users will record its failed logons in the Security log in Event Viewer for
all failed logon attempts by all user accounts. If this results in an
enormous number of security events, you can select Filter from the View menu
in Event Viewer to isolate the account you are interested in.

Doug Sherman
MCSE Win2k/NT4.0, MCP+I, MVP


"David H" <dhigginbotham@hazenandsawyer.com> wrote in message
news:OulIrNrXEHA.3112@tk2msftngp13.phx.gbl...

> Thanks Doug and all,
>
> This sounds like what I need to do. Would you please tell me how to enable
> this in the domain controllers OU? Or point me to a KB article or

something?

> Thank you very much for your help. This forum almost always has the

answers.

>
> Thanks,
> David
> "Doug Sherman [MVP]" <dsherman@nospam.tampabay.rr.com> wrote in message
> news:uN93k5qXEHA.3516@TK2MSFTNGP09.phx.gbl...

> > If you audit for account logon failure, the Security log in Event Viewer
> > will show the source machine for the logon attempt. You will need to

> enable

> > this in the domain controllers OU.
> >
> > Doug Sherman
> > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> >
> > "David H" <dhigginbotham@hazenandsawyer.com> wrote in message
> > news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...

> > > I have an admin equivalent account that I recently had to change the
> > > password for due to a change in personnel. The admin account now gets

> > locked

> > > out due to excessive failed logon's on an occasional basis. How can I

> > track

> > > from where that account is trying to be accessed?
> > >
> > > Thanks,
> > > David H
> > >
> > >

> >
> >

>
>

[David H]

Thanks Chris. Where do I do this? I mean know where to find the default GPO
in AD users and computers and I see security settings but I am not sure how
to add audit logon event.

"Chris" <tophe_news@hotmail.com> wrote in message
news:eATo%23TrXEHA.1000@TK2MSFTNGP12.phx.gbl...

> Hi,
>
> I would be you, I would modifiy the Domain Controler defaut GPO, as It's
> kind of security basic to audit logon event.
>
> Rgds
>
>
> "David H" <dhigginbotham@hazenandsawyer.com> wrote in message
> news:OulIrNrXEHA.3112@tk2msftngp13.phx.gbl...

> > Thanks Doug and all,
> >
> > This sounds like what I need to do. Would you please tell me how to

enable

> > this in the domain controllers OU? Or point me to a KB article or

> something?

> > Thank you very much for your help. This forum almost always has the

> answers.

> >
> > Thanks,
> > David
> > "Doug Sherman [MVP]" <dsherman@nospam.tampabay.rr.com> wrote in message
> > news:uN93k5qXEHA.3516@TK2MSFTNGP09.phx.gbl...

> > > If you audit for account logon failure, the Security log in Event

Viewer

> > > will show the source machine for the logon attempt. You will need to

> > enable

> > > this in the domain controllers OU.
> > >
> > > Doug Sherman
> > > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > >
> > > "David H" <dhigginbotham@hazenandsawyer.com> wrote in message
> > > news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...
> > > > I have an admin equivalent account that I recently had to change the
> > > > password for due to a change in personnel. The admin account now

gets

> > > locked
> > > > out due to excessive failed logon's on an occasional basis. How can

I

> > > track
> > > > from where that account is trying to be accessed?
> > > >
> > > > Thanks,
> > > > David H
> > > >
> > > >
> > >
> > >

> >
> >

>
>

[David H]

Well, dadgummit! This policy is already configured as below. But the event
viewer on the domain controller shows no failed audit's for this user, but
the user account keeps getting locked from time to time. some times it
occurs several times in a day, some days not at all. I guess now I need some
help in how to start troubleshooting this phenomenon. So..... how would you
go about troubleshotting an issue like this?

Thanks again Doug!

"Doug Sherman [MVP]" <dsherman@nospam.tampabay.rr.com> wrote in message
news:%23U4eb6rXEHA.212@TK2MSFTNGP12.phx.gbl...

> Open AD Users and Computers, Right click on the Domain Controllers OU, and
> select Properties. Click the Group Policy tab, click the Edit button.
> Under Computer Configuration, expand Windows Settings, expand Security
> Settings, expand Local Policies, click on Audit Poliocy. Double click on
> Account logon Events, check the box for Define these policy settings and
> check the box for Failure.
>
> The result is that every domain controller in the domain that

authenticates

> users will record its failed logons in the Security log in Event Viewer

for

> all failed logon attempts by all user accounts. If this results in an
> enormous number of security events, you can select Filter from the View

menu

> in Event Viewer to isolate the account you are interested in.
>
> Doug Sherman
> MCSE Win2k/NT4.0, MCP+I, MVP
>
>
> "David H" <dhigginbotham@hazenandsawyer.com> wrote in message
> news:OulIrNrXEHA.3112@tk2msftngp13.phx.gbl...

> > Thanks Doug and all,
> >
> > This sounds like what I need to do. Would you please tell me how to

enable

> > this in the domain controllers OU? Or point me to a KB article or

> something?

> > Thank you very much for your help. This forum almost always has the

> answers.

> >
> > Thanks,
> > David
> > "Doug Sherman [MVP]" <dsherman@nospam.tampabay.rr.com> wrote in message
> > news:uN93k5qXEHA.3516@TK2MSFTNGP09.phx.gbl...

> > > If you audit for account logon failure, the Security log in Event

Viewer

> > > will show the source machine for the logon attempt. You will need to

> > enable

> > > this in the domain controllers OU.
> > >
> > > Doug Sherman
> > > MCSE Win2k/NT4.0, MCSA, MCP+I, MVP
> > >
> > > "David H" <dhigginbotham@hazenandsawyer.com> wrote in message
> > > news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...
> > > > I have an admin equivalent account that I recently had to change the
> > > > password for due to a change in personnel. The admin account now

gets

> > > locked
> > > > out due to excessive failed logon's on an occasional basis. How can

I

> > > track
> > > > from where that account is trying to be accessed?
> > > >
> > > > Thanks,
> > > > David H
> > > >
> > > >
> > >
> > >

> >
> >

>
>

[salvador]

There is probably a service which still uses such
credentials
Check the security in event viewer after enabling aufition
for failed logins

>-----Original Message-----
>Hi,
>
>Assuming your GPO are setup to audit logon events, you

will be able to find

>the "login denied" events in the Event logs "Security"of

all your DC.

>
>This means you wil lahve to have a look on each of your

DC to know from what

>machine is coming the wrong logon.
>
>Hope this helps.
>
>Rds,
>Chris
>
>
>"David H" <dhigginbotham@hazenandsawyer.com> wrote in

message

>news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...

>> I have an admin equivalent account that I recently had

to change the

>> password for due to a change in personnel. The admin

account now gets

>locked

>> out due to excessive failed logon's on an occasional

basis. How can I

>track

>> from where that account is trying to be accessed?
>>
>> Thanks,
>> David H
>>
>>

>
>
>.
>

[drt]

Alternatively, you can enable netlogon logging on your domain controller(s).
The following link from MS explains just about everything you will need to
set it up and figure out what's happening...it's pretty well written and
explains a lot about the Microsoft logon process to boot.

[url]http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx[/url]

I think that you will find this to be a good solution that will help you
troubleshoot this and many other logon problems of this type. For more info
search "netlogon.log" on google. NT40 required a checked build of
netlogon.log to enable this feature, I beleive that it is native to 2K and
above.

drt




"David H" <dhigginbotham@hazenandsawyer.com> wrote in message
news:u3EhArpXEHA.2364@TK2MSFTNGP12.phx.gbl...

> I have an admin equivalent account that I recently had to change the
> password for due to a change in personnel. The admin account now gets

locked

> out due to excessive failed logon's on an occasional basis. How can I

track

> from where that account is trying to be accessed?
>
> Thanks,
> David H
>
>