Solved

How do I audit failed logon attempts in my 2008 R2 active directory

Posted on 2014-11-07
4
234 Views
Last Modified: 2015-06-28
I am trying to record all of the failed logon attempts throughout my domain. I have Windows server 2008 R2 on my domain controllers. I want to see if anyone fails a logon within any of my 12 locations.
0
Comment
Question by:PCCUtech
4 Comments
 
LVL 3

Expert Comment

by:roycbene
ID: 40428514
There is a tool from Microsoft called Account Lockout Status. A simple Google search will turn it up for you. This tool will not only display the number of bad password attempts for a specific user, it will also tell you which domain controller recorded the bad password attempts. There is another tool that comes with this called EventCombMT. This is a very invaluable tool. Instructions on how to use this tool are located here:

http://dougg.co.nz/2013/04/23/using-eventcombmt-with-2008-r2-to-find-what-is-locking-accounts/

With this, you can go through any one of the event viewer logs on any domain controller (or number of domain controllers) at one time with one click. The results will be output to a text file. This is unequivocally my go to for this type of issue. If there is anything else I can do, please let me know. Thanks!

Also, as a side note, don't forget that you an assign actions to events on each domain controller. Put another way, if an audit failure is recorded, assign an action to that error and set it to email you each time it occurs (just an example of one of the actions).
0
 

Accepted Solution

by:
PCCUtech earned 0 total points
ID: 40433288
Excellent, thank you. I will make use of these tools. I have taken a slightly different path with this one though. I have created a scheduled task for the event 4771 on my primary authentication server and am having that emailed to me. For now that will provide enough notification when a user attempts a logon with a bad password. Fortunately I don't have all that many emails coming in, but it allows me to see any users that are "repeat offenders".
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40855313
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question