Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 333
  • Last Modified:

How do I audit failed logon attempts in my 2008 R2 active directory

I am trying to record all of the failed logon attempts throughout my domain. I have Windows server 2008 R2 on my domain controllers. I want to see if anyone fails a logon within any of my 12 locations.
0
PCCUtech
Asked:
PCCUtech
1 Solution
 
roycbeneCommented:
There is a tool from Microsoft called Account Lockout Status. A simple Google search will turn it up for you. This tool will not only display the number of bad password attempts for a specific user, it will also tell you which domain controller recorded the bad password attempts. There is another tool that comes with this called EventCombMT. This is a very invaluable tool. Instructions on how to use this tool are located here:

http://dougg.co.nz/2013/04/23/using-eventcombmt-with-2008-r2-to-find-what-is-locking-accounts/

With this, you can go through any one of the event viewer logs on any domain controller (or number of domain controllers) at one time with one click. The results will be output to a text file. This is unequivocally my go to for this type of issue. If there is anything else I can do, please let me know. Thanks!

Also, as a side note, don't forget that you an assign actions to events on each domain controller. Put another way, if an audit failure is recorded, assign an action to that error and set it to email you each time it occurs (just an example of one of the actions).
0
 
PCCUtechAuthor Commented:
Excellent, thank you. I will make use of these tools. I have taken a slightly different path with this one though. I have created a scheduled task for the event 4771 on my primary authentication server and am having that emailed to me. For now that will provide enough notification when a user attempts a logon with a bad password. Fortunately I don't have all that many emails coming in, but it allows me to see any users that are "repeat offenders".
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now