We help IT Professionals succeed at work.

Locate Source of Failed AD Authentication

99 Views
Last Modified: 2017-03-16
Windows Server 2012 Datacenter
AD 2012

I have an account used for authenticating a software with AD that keeps getting locked out.
I have unlocked the account but it got locked out right away.

How would I locate the machine that is attempting to authenticate in AD using that account?
Comment
Watch Question

Sr. Systems Engineer
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Paul WagnerPrincipal Consultant
CERTIFIED EXPERT

Author

Commented:
I've used the lockoutstatus and eventcombmt tools. We have two DCs and neither show events for the account being locked out or having failed attempts. I've tried connecting by using the LDP utility and am getting mixed results: one attempt shows the server as down, another says authentication failed and the last one permitted me to authenticate.

My primary concern is locating the machine or software that is attempting to authenticate using that account and then locking it out. What would I specifically do in the Account Lockout tools to find that information?
Paul WagnerPrincipal Consultant
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
ChrisSr. Systems Engineer

Commented:
the lockout tool as I recall, will tell you which Domain Controller locked the account. Then you have to go to that DC, and look at the security event logs. If memory serves me, you're looking for either Event ID "4771", or Event ID "4740". (Filter the log to just look for these.)

To my knowledge, There isn't a tool, that can interrogate a domain controller, and find out a machine that is repeatedly using a credential, and locking that credential out...
Paul WagnerPrincipal Consultant
CERTIFIED EXPERT

Author

Commented:
It was Event 4625: An account failed to log on
Senior IT System EngineerSenior Systems Engineer
CERTIFIED EXPERT

Commented:
What about Netwrix, Account Lockout Examiner ?
Paul WagnerPrincipal Consultant
CERTIFIED EXPERT

Author

Commented:
I'll check it out. Sounds cool.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.