Solved

How do I audit failed logon attempts in my 2008 R2 active directory

Posted on 2014-11-07
4
284 Views
Last Modified: 2015-06-28
I am trying to record all of the failed logon attempts throughout my domain. I have Windows server 2008 R2 on my domain controllers. I want to see if anyone fails a logon within any of my 12 locations.
0
Comment
Question by:PCCUtech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 3

Expert Comment

by:roycbene
ID: 40428514
There is a tool from Microsoft called Account Lockout Status. A simple Google search will turn it up for you. This tool will not only display the number of bad password attempts for a specific user, it will also tell you which domain controller recorded the bad password attempts. There is another tool that comes with this called EventCombMT. This is a very invaluable tool. Instructions on how to use this tool are located here:

http://dougg.co.nz/2013/04/23/using-eventcombmt-with-2008-r2-to-find-what-is-locking-accounts/

With this, you can go through any one of the event viewer logs on any domain controller (or number of domain controllers) at one time with one click. The results will be output to a text file. This is unequivocally my go to for this type of issue. If there is anything else I can do, please let me know. Thanks!

Also, as a side note, don't forget that you an assign actions to events on each domain controller. Put another way, if an audit failure is recorded, assign an action to that error and set it to email you each time it occurs (just an example of one of the actions).
0
 

Accepted Solution

by:
PCCUtech earned 0 total points
ID: 40433288
Excellent, thank you. I will make use of these tools. I have taken a slightly different path with this one though. I have created a scheduled task for the event 4771 on my primary authentication server and am having that emailed to me. For now that will provide enough notification when a user attempts a logon with a bad password. Fortunately I don't have all that many emails coming in, but it allows me to see any users that are "repeat offenders".
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40855313
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question