auditing 1 AD account

[john]

I have an AD account that keeps getting locked, not due
to user error. I am suspicious that something/someone is
trying to use this account, and the failed logins cause
the account lockout. Is there a way of auditing this 1
AD account so I can see when an attempt is made to logon
using this account, whether success or failure?

Thanks

John

 

[David Sanders]

I get this all the time. I have users who log into
multiple machines, and when it is time to change their
password, they invariably forget to log off of a machine
(or Terminal Services Session). When they change their
password, the "Ghost" logon will continue sending the old
password, locking out the account.

Use Event Comb to scrub your DC Security logs. This will
show you at what computer the user accout is being locked
out. You can also use various tools (Hyena or PSTools) to
search for users logons on a Domain level.

Hope this helps.
David Sanders

 

[john]

We currently didnt have auditing on accounts setup.
However on setting it up I realised it doesnt show the
workstation name the user is trying to logon at, which is
critical. There is just a blank for workstation name
(see below). Any idea why?

Thanks for the event comb tool, that saves me serching
all the DC separately now!


540,AUDIT SUCCESS,Security,Thu Jul 03 12:04:16
2003,AD\cmsxgmm,Successful Network Logon:
User Name: cmsxgmm
Domain: AD
Logon ID: (0x0,0x82F1606)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: (null)

 

[Eric Fitzgerald [MSFT]]

Blank workstation name usually means the login is coming from a non-windows
machine. Can you send the entire event (there's a copy button when viewing
the event detail).

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.