Need more information than Event Viewer offers

Someone on my network is locking out login ID's and trying to use the Guest account.  Is there something I can do or get to find out which computer this is happening at?  The event viewer is not giving me enough information.
Who is Participating?
rehanahmedsConnect With a Mentor Commented:
you have to use 3rd party software to keep track... like limit login...

its probably a good idea to keep the guest account blocked
If there is a failure audit in the Security log, it should contain a "source", to help in tracking the problem.....

Once you know the source, you can use some of MS's tools to figure out why it is being locked out....

Account Lockout and Management Tools
jtennysonAuthor Commented:
I get a lot of failure audits in the event viewer every day.  It tells me the IP address of the computer but it does not tell me the login ID being used.
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

jtennysonAuthor Commented:
I think what I am asking, is how do I get the event viewer to record and show what login ID is being used when there is a failure audit.  I want to know which computer is being used to login as guest, etc.
Then I can find out who is doing this.
use limit login its a third party tool there is no way windows is going to tell you from event viewer other then using 3rd party tools...
If you have the IP, then you should be able to find it easily....

Map to the hidden share...

\\IPAddress\c$, and look in Documetns and settings....

Or use this tool...


psloggedon \\IPAddress
rehanahmeds is correct about the aount of data you see....

Logon Type Codes Revealed

Another very useful link.....
All Courses

From novice to tech pro — start learning today.