Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How do I audit failed logon attempts in my 2008 R2 active directory

Posted on 2014-11-07
4
Medium Priority
?
308 Views
Last Modified: 2015-06-28
I am trying to record all of the failed logon attempts throughout my domain. I have Windows server 2008 R2 on my domain controllers. I want to see if anyone fails a logon within any of my 12 locations.
0
Comment
Question by:PCCUtech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 3

Expert Comment

by:roycbene
ID: 40428514
There is a tool from Microsoft called Account Lockout Status. A simple Google search will turn it up for you. This tool will not only display the number of bad password attempts for a specific user, it will also tell you which domain controller recorded the bad password attempts. There is another tool that comes with this called EventCombMT. This is a very invaluable tool. Instructions on how to use this tool are located here:

http://dougg.co.nz/2013/04/23/using-eventcombmt-with-2008-r2-to-find-what-is-locking-accounts/

With this, you can go through any one of the event viewer logs on any domain controller (or number of domain controllers) at one time with one click. The results will be output to a text file. This is unequivocally my go to for this type of issue. If there is anything else I can do, please let me know. Thanks!

Also, as a side note, don't forget that you an assign actions to events on each domain controller. Put another way, if an audit failure is recorded, assign an action to that error and set it to email you each time it occurs (just an example of one of the actions).
0
 

Accepted Solution

by:
PCCUtech earned 0 total points
ID: 40433288
Excellent, thank you. I will make use of these tools. I have taken a slightly different path with this one though. I have created a scheduled task for the event 4771 on my primary authentication server and am having that emailed to me. For now that will provide enough notification when a user attempts a logon with a bad password. Fortunately I don't have all that many emails coming in, but it allows me to see any users that are "repeat offenders".
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40855313
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know what services you can and cannot, should and should not combine on your server.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question