aduiting user acount

[Guest]

I got 3 domain controllers in our domain. I configured audit policy settings
for user account events. When I review corresponding user events in security
logs on either of domain controllers. I have to check out security logs of
all domain controllers. This method is very time-consuming and not
successful. What exactly I need to do is to learn why specific user's account
is locked sometimes. which process lock out this user's account. How to
monitor this user's activities.
My suggestion: Just auditting his own computer could not be good idea.
Because this user account may run the service on another computer which I
don't know.
If this is the case How can I find out?
System administrators, please help

I would be grateful...

 

[Kevin D. Goodknecht Sr. [MVP]]

I got 3 domain controllers in our domain. I configured audit policy
settings for user account events. When I review corresponding user
events in security logs on either of domain controllers. I have to
check out security logs of all domain controllers. This method is
very time-consuming and not successful. What exactly I need to do is
to learn why specific user's account is locked sometimes. which
process lock out this user's account. How to monitor this user's
activities.
My suggestion: Just auditting his own computer could not be good idea.
Because this user account may run the service on another computer
which I don't know.
If this is the case How can I find out?
System administrators, please help

I would be grateful...

Do you have auditing turned on in the security log?
When a client connects to a DC to authenticate, it will create an entry in
the security log, giving the IP of the client.
I would first suspect a scheduled task with the wrong passoword, but it
could also be a saved in the Advanced tab of user accounts in XP. (Click the
manage passwords button)

 

[Guest]

Hello,
I told that I could review security logs on either of DCs. What else do I
have to do to turn on.However I could not see any ip of the client. The
computer that user log on is XP home edition and reformated.there is a
outlook 2003 running on this computer.
How can I find out what process locks out this account? Shall I checkout DC
or Local computer's security log. By the way, is there way to make this user
account authenticate with only one DC it's hard to search for security logs
of both DCs

 

[Guest]

Hi,

Even i too had the same problem. My users get locked often without any
reason.But i found that this was not happening due to wrong passwords.I tried
to use a account lock out tool which i download from the microsoft site. But
that proved to be of no use. Now i am using a new server with new domain. Now
i dont have any problems. I did this in no way.

 

[Kevin D. Goodknecht Sr. [MVP]]

Hello,
I told that I could review security logs on either of DCs. What else
do I have to do to turn on.However I could not see any ip of the
client.

Look for a failure entries on DCs. All failure audits have either the
workstation name or IP address. You can filter the failures in the event
log.

The computer that user log on is XP home edition and
reformated.there is a outlook 2003 running on this computer.
How can I find out what process locks out this account?

There may be a way to do this from the client, but I don't know of it. On
Windows server OS's, IIS logs its account failures in the system log and
Exchange logs its Account failures in the Application log.

Shall I
checkout DC or Local computer's security log. By the way, is there
way to make this user account authenticate with only one DC it's hard
to search for security logs of both DCs

It won't be in the local computer's security log.

In control panel, User Accounts, select the Advanced tab, click the manage
passwords button, you will see a list of sites and servers with saved
passwords. Delete or edit entries for the server's name.
Since this is XP Home I would supect it would have to be a saved password,
because XP home cannot authenticate with a domain any other way, other than
as a guest.