Solved

Failed login attempts - how to determine source

Posted on 2012-04-09
9
1,406 Views
Last Modified: 2012-04-26
Have over 200 failed login attempts daily on an AD account and not sure where they are coming from.  Whats the easiest way to see what the source is?

Thanks
0
Comment
Question by:rhwimmers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 22

Expert Comment

by:Joseph Moody
ID: 37824043
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37824047
check on the event viewer for

Event Type: Audit Failure
Event Source: Security
Event Category: Account Logon
Event ID: 680
0
 
LVL 2

Expert Comment

by:Elixis
ID: 37824050
Here's some pretty helpful tools for tracking what machine is causing the lockout: http://technet.microsoft.com/en-us/library/cc738772(v=ws.10).aspx
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 20

Expert Comment

by:compdigit44
ID: 37825751
I had this same exact issue. The one way I was able to find the problem workstation causing one of my users account to get locked out was to use Network Monitor on my of my DC's. Unlock the users account and monitor the the users account status. As soon as the users account locked I stopped network monitor and filtered the results bases on authentication traffic.

good luck,,,
0
 
LVL 2

Expert Comment

by:MilesLogan
ID: 37825970
Try the 30 day trial from this place .. easiest I have seen around .
http://www.netwrix.com/account_lockout_examiner.html
0
 
LVL 10

Expert Comment

by:Prashant Girennavar
ID: 37826585
If you are talking about logon attempts made on the server , then you can easliy trace this out in security event logs.

Just to security event log which is got falied, Double click on it. It will show who has attempted to login.

If a user is trying to login to domain using workstation and not able to login , and security events are getting generated on a domain controller , then you can use Lockout.exe tool from microsoft which will tell on which DC the account got locked. GO to the DC, check the security event logs.

Security Event Logs will tell From which workstation accounts are logging in and producing problem.

Hope this Helps.

Regards,

_Prashant_
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 175 total points
ID: 37826728
You can enable debug logging on the Netlogon service. This should help you locate the source of the logon requests. You'll need to enable logging on all your DC's where these users can be authenticated.
http://support.microsoft.com/kb/109626

In the event veiwer; When doing auditing you see all the events, however when viewing the logs in event viewer, simply right-click the log, click properties, select the filter tab and then only select the required filter for your view.
0
 
LVL 1

Author Closing Comment

by:rhwimmers
ID: 37884340
great, thanks!
0
 
LVL 1

Author Comment

by:rhwimmers
ID: 37899769
Update -
The account getting locked out - but having hundreds of these every day

event id 529
login type 8
call process 1640

IP seems to be from 166.249.0.0/16 (an exact one would be 166.249.131.72)  The source port is different every time.
The tools mentioned thus far don't really help since the user is not being locked out.
0

Featured Post

Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question