Solved

Tracking failed Logon attempts

Posted on 2015-02-09
3
32 Views
Last Modified: 2016-06-23
Running a Windows domain with two Server 2012 Domain Controllers.  Currently, our domain lockout policy is 10 failed attempts locks you out for an hour.  

Problem is, the domain account for one of the partners here (after changing network password) is getting locked out every other day or so.  Assumption is something he uses (or used) to communicate with network is still trying...on its own...to connect using old password.  There are only three devices he communicates to network with:

Smart Phone - He is getting mail on phone still, so that seems to be communicating with the Exchange server properly.
Desktop - shut down most evenings, but once logged in, should stay logged in and communicate normally.
Home Laptop - Apple system he uses to connect to office via remote desktop.

Basically, I can't find anything of his trying to connect to office that can't connect unless account gets locked, but can once again as soon as account is unlocked in Active Directory.

Is there a configuration to track logon attempts by an account to the domain?  I tried enabling the audit policy in Group Policy (Audit Policy (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy)), but when I view the Security log in Event viewer, I'm met with thousands of non-specific (or at least non-specific to my needs) logon and logoff attempts.

Is there a program or setting that can track failed logon attempts to a domain (at the domain controller level) so we can maybe get a time frame for when these failed attempts are occurring to help us track it down.

Unless, of course, somebody has a different idea for what could be causing these lockouts and how we could track it down?
0
Comment
Question by:J4sstrom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40598969
Failed and Successful login attempts are logged on the domain controller Security Logs where authentication is taking place. If you have multiple domain controllers in your environment this can be tricky to pin point natively going through the logs.

I recommend doing the following below...
- make sure that auditing is enabled on the default domain controllers policy.
- Increase the security log file size (so it doesn't get overwritten)
- use a 3rd party product like AD Audit Plus (http://www.manageengine.com/products/active-directory-audit/download.html)

The software above is a free trial for 30 days. If you have auditing enabled it will tell you exactly where your account is locking out on.

You can also use software for Auditing Active Directory from Lepide Software
http://www.lepide.com/lepideauditor/active-directory.html

Will.
0
 

Author Comment

by:J4sstrom
ID: 40598981
Auditing is enabled
Log file is significant enough to go back a week or more, so not getting overwritten in short-term
I'll try those downloads, they seem like what I'm looking for.  Will report on those after some testing

Thank you
0

Featured Post

Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question