Need more information than Event Viewer offers

Someone on my network is locking out login ID's and trying to use the Guest account.  Is there something I can do or get to find out which computer this is happening at?  The event viewer is not giving me enough information.
jtennysonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rehanahmedsCommented:
you have to use 3rd party software to keep track... like limit login...

its probably a good idea to keep the guest account blocked
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
johnb6767Commented:
If there is a failure audit in the Security log, it should contain a "source", to help in tracking the problem.....

Once you know the source, you can use some of MS's tools to figure out why it is being locked out....

Account Lockout and Management Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
0
jtennysonAuthor Commented:
I get a lot of failure audits in the event viewer every day.  It tells me the IP address of the computer but it does not tell me the login ID being used.
0
Redefining Cyber Security w/ AI & Machine Learning

The implications of AI and machine learning in cyber security are massive and constantly growing, creating both efficiencies and new challenges across the board. Join our webinar on Sept. 21st to learn more about leveraging AI and machine learning to protect your business.

jtennysonAuthor Commented:
I think what I am asking, is how do I get the event viewer to record and show what login ID is being used when there is a failure audit.  I want to know which computer is being used to login as guest, etc.
Then I can find out who is doing this.
0
rehanahmedsCommented:
use limit login its a third party tool there is no way windows is going to tell you from event viewer other then using 3rd party tools...
0
johnb6767Commented:
If you have the IP, then you should be able to find it easily....

Map to the hidden share...

\\IPAddress\c$, and look in Documetns and settings....

Or use this tool...

PsLoggedOn
http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx

psloggedon \\IPAddress
0
johnb6767Commented:
rehanahmeds is correct about the aount of data you see....

Logon Type Codes Revealed
http://www.windowsecurity.com/articles/Logon-Types.html

Another very useful link.....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.