View logon failures with computer identification

Posted on 2009-04-16
Last Modified: 2013-12-06
I am looking for something that will give me details for logon failures on my 2008 domain controllers.  I need to see what computers are being used for these failures.  When I look at the event viewer, it does not give me the details I need.  I would like the name of the computer, but the IP address would do.  Am I not setting up the event viewer correctly or is there a product (not too expensive) that I can get?  I am having a problem with account lock outs and I need to know who is doing this.
Question by:jtennyson
    LVL 7

    Expert Comment

    Account Lockouts can occur when some computers in the Active Directory Domain perform a DDos Attack due to lack of security patches.

    We received a lot of account lockouts during the month of Feb & March, but most of them were resolved when we deployed the patches

    KB 958644 -
    KB 958687.-

    I sincerely would suggest  you to patch all your workstations asap and also update whether you are currently hosting a WSUS Server in your Network

    Author Comment

    My workstations are patched.  Certain accounts are being locked out.  I need to be able to find out what computer is being used to try and log in under these accounts.
    LVL 1

    Accepted Solution

    Download the Account Lockout Tools from Microsoft.

    The EventCombMT in particular is usefull. You can set it to search for events within a certain time period, and it has built-in queries for lockout events. It also will allow you to export to .CSV for easy searching.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Network ports are the threads that hold network communication together. They are an essential part of networking that can be easily ignore or misunderstood, my goals is to show those who don't have a strong network foundation how network ports opera…
    You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now