?
Solved

EventcombMT won't pull 4740 events from a remote domain controller.

Posted on 2014-09-12
4
Medium Priority
?
1,088 Views
Last Modified: 2014-09-17
We use EventcombMT to scan our domain controllers for Event 4740, which tells us what server/PC is causing a user to get locked out.

It runs fine when we run it from a domain controller.
But when I run it from my Windows 7 laptop logged on as a domain admin it successfully scans the exact same number of events but doesn't show any hits on 4740.

It appears to be the same number of event log entries scanned  and the same settings chosen in the search. But it gets results when run from the domain controller but none if we run it from out desktops/laptops.

Ideas?
0
Comment
Question by:Cardlytics
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 56

Expert Comment

by:McKnife
ID: 40319694
I encourage you to dump that old eventcomb.
Powershell is by far more flexible and compatible.

Sorry, I have no idea why it wouldn't work, we dumped eventcomb and dumpel.exe years ago.
0
 

Accepted Solution

by:
Cardlytics earned 0 total points
ID: 40320021
I ended up stumbling across an alternative. See the link below :
http://blogs.technet.com/b/jhoward/archive/2010/06/16/getting-event-log-contents-by-email-on-an-event-log-trigger.aspx

I changed his query batch to read :
del %temp%\query.txt
wevtutil qe Security "/q:*[System [(EventID=4740)]]" /f:text /rd:true /c:1 > %temp%\query.txt
 
The process outlined in that email above shoots us an email as soon as the account gets locked out. Keeps me from having to hunt it down. Pretty elegant I think.
0
 
LVL 56

Expert Comment

by:McKnife
ID: 40320711
Another alternative, neat, why not. Event-triggering is the best way here, right.
0
 

Author Closing Comment

by:Cardlytics
ID: 40327537
Found an alternate process. Google to the rescue!
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Suggested Courses
Course of the Month11 days, 14 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question