Failed login attempts - how to determine source

Have over 200 failed login attempts daily on an AD account and not sure where they are coming from.  Whats the easiest way to see what the source is?

Thanks
LVL 1
rhwimmersAsked:
Who is Participating?
 
Leon FesterConnect With a Mentor Senior Solutions ArchitectCommented:
You can enable debug logging on the Netlogon service. This should help you locate the source of the logon requests. You'll need to enable logging on all your DC's where these users can be authenticated.
http://support.microsoft.com/kb/109626

In the event veiwer; When doing auditing you see all the events, however when viewing the logs in event viewer, simply right-click the log, click properties, select the filter tab and then only select the required filter for your view.
0
 
Joseph MoodyBlogger and wearer of all hats.Commented:
0
 
AnuroopsunddCommented:
check on the event viewer for

Event Type: Audit Failure
Event Source: Security
Event Category: Account Logon
Event ID: 680
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
ElixisCommented:
Here's some pretty helpful tools for tracking what machine is causing the lockout: http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
0
 
compdigit44Commented:
I had this same exact issue. The one way I was able to find the problem workstation causing one of my users account to get locked out was to use Network Monitor on my of my DC's. Unlock the users account and monitor the the users account status. As soon as the users account locked I stopped network monitor and filtered the results bases on authentication traffic.

good luck,,,
0
 
MilesLoganCommented:
Try the 30 day trial from this place .. easiest I have seen around .
http://www.netwrix.com/account_lockout_examiner.html
0
 
Prashant GirennavarCommented:
If you are talking about logon attempts made on the server , then you can easliy trace this out in security event logs.

Just to security event log which is got falied, Double click on it. It will show who has attempted to login.

If a user is trying to login to domain using workstation and not able to login , and security events are getting generated on a domain controller , then you can use Lockout.exe tool from microsoft which will tell on which DC the account got locked. GO to the DC, check the security event logs.

Security Event Logs will tell From which workstation accounts are logging in and producing problem.

Hope this Helps.

Regards,

_Prashant_
0
 
rhwimmersAuthor Commented:
great, thanks!
0
 
rhwimmersAuthor Commented:
Update -
The account getting locked out - but having hundreds of these every day

event id 529
login type 8
call process 1640

IP seems to be from 166.249.0.0/16 (an exact one would be 166.249.131.72)  The source port is different every time.
The tools mentioned thus far don't really help since the user is not being locked out.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.