schmida54017
asked on
Need to find out at what time and what machine a user account was locked out at
Someone locked out a user account in Active Directory and I need to find out what time and from what machine it was locked out. I have already unlocked the account. I have a Server 2003 Domain Controller. Thanks in advance for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There is a tool from Microsoft to speed up this process:
EventCombMT is a multithreaded tool that you can use to search the event logs of several different computers for specific events, all from one central location. You can configure EventCombMT to search the event logs in a very detailed fashion. The following are some of the search parameters that you can specify:•Individual event IDshttp://support.microsoft.com/kb/824209
•Multiple event IDs
•A range of event IDs
•An event source
•Specific event text
•How many minutes, hours, or days back to scan
Some specific search categories are built-in, such as Account Lockouts. The Account Lockouts search is preconfigured to include event IDs 529, 644, 675, 676, and 681. Additionally, you can add event ID 12294 to search for potential attacks against the Administrator account.
Further, if you wish to avoid such issues and get alert of all changes in AD, you can also check this software(http://www.activedirectory