Tracking failed Logon attempts
Posted on 2015-02-09
Running a Windows domain with two Server 2012 Domain Controllers. Currently, our domain lockout policy is 10 failed attempts locks you out for an hour.
Problem is, the domain account for one of the partners here (after changing network password) is getting locked out every other day or so. Assumption is something he uses (or used) to communicate with network is still trying...on its own...to connect using old password. There are only three devices he communicates to network with:
Smart Phone - He is getting mail on phone still, so that seems to be communicating with the Exchange server properly.
Desktop - shut down most evenings, but once logged in, should stay logged in and communicate normally.
Home Laptop - Apple system he uses to connect to office via remote desktop.
Basically, I can't find anything of his trying to connect to office that can't connect unless account gets locked, but can once again as soon as account is unlocked in Active Directory.
Is there a configuration to track logon attempts by an account to the domain? I tried enabling the audit policy in Group Policy (Audit Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy)), but when I view the Security log in Event viewer, I'm met with thousands of non-specific (or at least non-specific to my needs) logon and logoff attempts.
Is there a program or setting that can track failed logon attempts to a domain (at the domain controller level) so we can maybe get a time frame for when these failed attempts are occurring to help us track it down.
Unless, of course, somebody has a different idea for what could be causing these lockouts and how we could track it down?