Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

EventcombMT won't pull 4740 events from a remote domain controller.

Posted on 2014-09-12
4
Medium Priority
?
1,262 Views
Last Modified: 2014-09-17
We use EventcombMT to scan our domain controllers for Event 4740, which tells us what server/PC is causing a user to get locked out.

It runs fine when we run it from a domain controller.
But when I run it from my Windows 7 laptop logged on as a domain admin it successfully scans the exact same number of events but doesn't show any hits on 4740.

It appears to be the same number of event log entries scanned  and the same settings chosen in the search. But it gets results when run from the domain controller but none if we run it from out desktops/laptops.

Ideas?
0
Comment
Question by:Cardlytics
  • 2
  • 2
4 Comments
 
LVL 58

Expert Comment

by:McKnife
ID: 40319694
I encourage you to dump that old eventcomb.
Powershell is by far more flexible and compatible.

Sorry, I have no idea why it wouldn't work, we dumped eventcomb and dumpel.exe years ago.
0
 

Accepted Solution

by:
Cardlytics earned 0 total points
ID: 40320021
I ended up stumbling across an alternative. See the link below :
http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx

I changed his query batch to read :
del %temp%\query.txt
wevtutil qe Security "/q:*[System [(EventID=4740)]]" /f:text /rd:true /c:1 > %temp%\query.txt
 
The process outlined in that email above shoots us an email as soon as the account gets locked out. Keeps me from having to hunt it down. Pretty elegant I think.
0
 
LVL 58

Expert Comment

by:McKnife
ID: 40320711
Another alternative, neat, why not. Event-triggering is the best way here, right.
0
 

Author Closing Comment

by:Cardlytics
ID: 40327537
Found an alternate process. Google to the rescue!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question