Solved

Need to find out at what time and what machine a user account was locked out at

Posted on 2014-02-08
3
383 Views
Last Modified: 2014-03-29
Someone locked out a user account in Active Directory and I need to find out what time and from what machine it was locked out. I have already unlocked the account. I have a Server 2003 Domain Controller. Thanks in advance for the help.
0
Comment
Question by:schmida54017
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 23

Accepted Solution

by:
Patrick Bogers earned 500 total points
ID: 39844220
Put a filter on eventlog and look for Event 644 and 539
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39846580
"Account lockout tool" is the best option to find out "what time and from what machine" it was locked out. By this tool, You can get the complete information about the account lockout cause and status.
Further, if you wish to avoid such issues and get alert of all changes in AD, you can also check this software(http://www.activedirectoryaudit.com/) which would be a best practice and good choice for you.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 39846675
There is a tool from Microsoft to speed up this process:
EventCombMT is a multithreaded tool that you can use to search the event logs of several different computers for specific events, all from one central location. You can configure EventCombMT to search the event logs in a very detailed fashion. The following are some of the search parameters that you can specify:•Individual event IDs
•Multiple event IDs
•A range of event IDs
•An event source
•Specific event text
•How many minutes, hours, or days back to scan
Some specific search categories are built-in, such as Account Lockouts. The Account Lockouts search is preconfigured to include event IDs 529, 644, 675, 676, and 681. Additionally, you can add event ID 12294 to search for potential attacks against the Administrator account.
http://support.microsoft.com/kb/824209
0

Featured Post

Comparison of Amazon Drive, Google Drive, OneDrive

What is Best for Backup: Amazon Drive, Google Drive or MS OneDrive? In this free whitepaper we look at their performance, pricing, and platform availability to help you decide which cloud drive is right for your situation. Download and read the results of our testing for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question