none
Determine which computer is causing a lockout of an account

    Question

  • HI,

    I need some help, I have an account that keeps locking out from my domain, and I want to know what computer is causing the lock out process of this account. any Idea? thoughts? I would like to creat an script that could tell me.

    waiting for your kindly replay

     

    Rgds

    Luis Alford  

    Monday, April 12, 2010 9:50 PM

Answers

    • Marked as answer by lgalford Tuesday, April 13, 2010 1:18 PM
    Monday, April 12, 2010 10:57 PM
  • hello

    although i think you should have posted that in Active Directory forum

    anyway ,by default no logging for faliure is logged in security event logs ,

    which means that failed authentication event is not going to be logged on your domain controller  , you will need to change that to audit for success and failure for account logon

    go to  default domain controller policy \Security Settings\Local Policies\Audit Policy\
    audit account logon event  ...enable failure , i think success is enabled by default

    you will have an event logged in your DC security log for whom is trying to authenticate with your account and a machine name where the authentication request comes from , you can then go to that machine and troubleshoot what is really happening

    please change that setting back once you identify the problem , there is a reason why this setting is by default disabled which is network traffic and performance in my opinion

    check that article for more info http://technet.microsoft.com/en-us/library/bb742435.aspx


    G
    • Marked as answer by lgalford Tuesday, April 13, 2010 1:18 PM
    Monday, April 12, 2010 11:08 PM

All replies

    • Marked as answer by lgalford Tuesday, April 13, 2010 1:18 PM
    Monday, April 12, 2010 10:57 PM
  • hello

    although i think you should have posted that in Active Directory forum

    anyway ,by default no logging for faliure is logged in security event logs ,

    which means that failed authentication event is not going to be logged on your domain controller  , you will need to change that to audit for success and failure for account logon

    go to  default domain controller policy \Security Settings\Local Policies\Audit Policy\
    audit account logon event  ...enable failure , i think success is enabled by default

    you will have an event logged in your DC security log for whom is trying to authenticate with your account and a machine name where the authentication request comes from , you can then go to that machine and troubleshoot what is really happening

    please change that setting back once you identify the problem , there is a reason why this setting is by default disabled which is network traffic and performance in my opinion

    check that article for more info http://technet.microsoft.com/en-us/library/bb742435.aspx


    G
    • Marked as answer by lgalford Tuesday, April 13, 2010 1:18 PM
    Monday, April 12, 2010 11:08 PM