Solved

EventcombMT won't pull 4740 events from a remote domain controller.

Posted on 2014-09-12
4
907 Views
Last Modified: 2014-09-17
We use EventcombMT to scan our domain controllers for Event 4740, which tells us what server/PC is causing a user to get locked out.

It runs fine when we run it from a domain controller.
But when I run it from my Windows 7 laptop logged on as a domain admin it successfully scans the exact same number of events but doesn't show any hits on 4740.

It appears to be the same number of event log entries scanned  and the same settings chosen in the search. But it gets results when run from the domain controller but none if we run it from out desktops/laptops.

Ideas?
0
Comment
Question by:Cardlytics
  • 2
  • 2
4 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 40319694
I encourage you to dump that old eventcomb.
Powershell is by far more flexible and compatible.

Sorry, I have no idea why it wouldn't work, we dumped eventcomb and dumpel.exe years ago.
0
 

Accepted Solution

by:
Cardlytics earned 0 total points
ID: 40320021
I ended up stumbling across an alternative. See the link below :
http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx

I changed his query batch to read :
del %temp%\query.txt
wevtutil qe Security "/q:*[System [(EventID=4740)]]" /f:text /rd:true /c:1 > %temp%\query.txt
 
The process outlined in that email above shoots us an email as soon as the account gets locked out. Keeps me from having to hunt it down. Pretty elegant I think.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 40320711
Another alternative, neat, why not. Event-triggering is the best way here, right.
0
 

Author Closing Comment

by:Cardlytics
ID: 40327537
Found an alternate process. Google to the rescue!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Last week, our Skyport webinar on “How to secure your Active Directory” (https://www.experts-exchange.com/videos/5810/Webinar-Is-Your-Active-Directory-as-Secure-as-You-Think.html?cid=Gene_Skyport) provided 218 attendees with a step-by-step guide for…
This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question