Solved

How do I audit failed logon attempts in my 2008 R2 active directory

Posted on 2014-11-07
4
225 Views
Last Modified: 2015-06-28
I am trying to record all of the failed logon attempts throughout my domain. I have Windows server 2008 R2 on my domain controllers. I want to see if anyone fails a logon within any of my 12 locations.
0
Comment
Question by:PCCUtech
4 Comments
 
LVL 3

Expert Comment

by:roycbene
ID: 40428514
There is a tool from Microsoft called Account Lockout Status. A simple Google search will turn it up for you. This tool will not only display the number of bad password attempts for a specific user, it will also tell you which domain controller recorded the bad password attempts. There is another tool that comes with this called EventCombMT. This is a very invaluable tool. Instructions on how to use this tool are located here:

http://dougg.co.nz/2013/04/23/using-eventcombmt-with-2008-r2-to-find-what-is-locking-accounts/

With this, you can go through any one of the event viewer logs on any domain controller (or number of domain controllers) at one time with one click. The results will be output to a text file. This is unequivocally my go to for this type of issue. If there is anything else I can do, please let me know. Thanks!

Also, as a side note, don't forget that you an assign actions to events on each domain controller. Put another way, if an audit failure is recorded, assign an action to that error and set it to email you each time it occurs (just an example of one of the actions).
0
 

Accepted Solution

by:
PCCUtech earned 0 total points
ID: 40433288
Excellent, thank you. I will make use of these tools. I have taken a slightly different path with this one though. I have created a scheduled task for the event 4771 on my primary authentication server and am having that emailed to me. For now that will provide enough notification when a user attempts a logon with a bad password. Fortunately I don't have all that many emails coming in, but it allows me to see any users that are "repeat offenders".
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40855313
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
hyper-v: delete snapshot when vm is Off 3 31
Robocopy Skipped Directory 12 42
SBS 2007 remove AD ? 10 22
Domain Trusts - Define AD Servers and Sites 9 45
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now