Link to home
Start Free TrialLog in
Avatar of Paul Wagner
Paul WagnerFlag for United States of America

asked on

Locate Source of Failed AD Authentication

Windows Server 2012 Datacenter
AD 2012

I have an account used for authenticating a software with AD that keeps getting locked out.
I have unlocked the account but it got locked out right away.

How would I locate the machine that is attempting to authenticate in AD using that account?
ASKER CERTIFIED SOLUTION
Avatar of Chris
Chris
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Paul Wagner

ASKER

I've used the lockoutstatus and eventcombmt tools. We have two DCs and neither show events for the account being locked out or having failed attempts. I've tried connecting by using the LDP utility and am getting mixed results: one attempt shows the server as down, another says authentication failed and the last one permitted me to authenticate.

My primary concern is locating the machine or software that is attempting to authenticate using that account and then locking it out. What would I specifically do in the Account Lockout tools to find that information?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
the lockout tool as I recall, will tell you which Domain Controller locked the account. Then you have to go to that DC, and look at the security event logs. If memory serves me, you're looking for either Event ID "4771", or Event ID "4740". (Filter the log to just look for these.)

To my knowledge, There isn't a tool, that can interrogate a domain controller, and find out a machine that is repeatedly using a credential, and locking that credential out...
It was Event 4625: An account failed to log on
Avatar of Albert Widjaja
What about Netwrix, Account Lockout Examiner ?
I'll check it out. Sounds cool.