How do I find source of account lockouts - event messages have spoofed machine names

Two or three times a day essentially all of my users are getting their account locked out. I suspect someone on my network has a virus that is trying to brute force passwords on my users. The trouble I am having is identifying the machine(s) that are involved in this. They are somehow spoofing the machine name so the security event shows a NetBIOS name that does not exist in my network.

I am running primarily Windows 7 workstations and laptops; and Windows 2008 R2 servers and domain controllers.

Any guidance on how to locate the source of this chaos will be much appreciated!
LVL 28
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Get the lockout tool from the link,

It includes/ids the DC that locked the account, then searching for the security events 4096 I think event on the referenced DC, it will include the source of the request using the event search tool included with the tool.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The event id referenced might not be right,

Here is a ref what you need to do with the tool included...

Here is a link where it explains things
Muhammad BurhanManager I.T.Commented:
Have you tried Advance Audit Policy ?Audi_Lockout2.jpgAudi_Lockout.jpg
John TsioumprisSoftware & Systems EngineerCommented:
Netwrix account lockout examiner is free and gives plenty of information to nail down the problem...I had a Conflicker infection a couple a years ago and i managed to find the workstation which was causing this havoc with the help of this tool...
You can get it here
bgoeringAuthor Commented:
Thanks everyone for the input.

John, I am already running the (free version of) Netwrix ALE and it is less than useful at locating offending devices when the workstation name is spoofed or blank.

Muhammed - I have not set up the advanced auditing, but will look into that.

Arnold - The EventCombMT tool helped to narrow it down. It turned out that one of the firewall administrators had left our disaster recovery site essentially open to the Internet - and everyone was having fun.

Lockouts went away after closing the firewall. Will be having folks checking equipment there for any hint of a compromise.

Thanks again
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.