Determining IP address of machines that initiate a login that locks out an account
Occasionally and more often lately, I have user accounts that lockout for no apparent reason. What I'm trying to figure out is an easy way to log or otherwise know the exact time and date user accounts get locked out and from which computer and IP address the login attempt that locked out the account occurred from. My fuzzy understanding is that some of this information might be in the Event Viewer but that some kind of logging can be turned on the DC and maybe use of a third party utility to filter all the noise that gets logged. Seems like this basic information should be much easier to get. Maybe what I want can't be had without tripping through layers of logging complexity so if anyone can comment on this, it would be much appreciated.
March 17th, 2010 12:45am

Hi, Use LockoutStatus.exehttp://www.microsoft.com/downloads/details.aspx?FamilyID=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en&displaylang=enThank You.
Free Windows Admin Tool Kit Click here and download it now
March 17th, 2010 4:49pm

I have a VBScript program that displays information on all locked out users linked here:http://www.rlmueller.net/LockedUsers.htmThe program queries all Domain Controllers to determine which DC logged the bad password attempts for each user. Perhaps this will help.Richard MuellerMVP ADSI
March 17th, 2010 5:55pm

I wanted to ask this again in hopes someone might be able to shed some light. To restate what I want to do, if an account is locked out, I want to be able to know from where this occurred. LockoutStatus.exe does not do this nor does the VBSScript that was suggested. If I have a hacker trying to get in externally through VPN or OWA or internally with someone trying to log on to somebody else's Outlook or from a client on the network, there seems to be no central place to go that says that the user account John Doe's account lockout originated from IP address 192.168.0.75 at 8:32 a.m. on 3/30/10 and the network mechanism used to log was OWA (or Windows Logon or VPN or whatever). Furthermore, playing around with Netlogon logs, those don't show any of this. Sometimes they'll show the originating machine name but not always. If a lockout occurs from OWA, that's not logged in Netlogon logs at all! Lockouts from VPN or POP3 seem to show up in Netlogon logs but not lock outs from LAN workstations. It's maddening how it is that basic information like this is so obtuse to get. I did read in a KB somewhere that an event 675 is supposed to show the originating IP address but when I test lockouts, that never posts in my Event Viewer logs. So is this situation just one of those Microsoft things or is there a way to really get this information without an act of Congress?
Free Windows Admin Tool Kit Click here and download it now
March 30th, 2010 6:16pm

Hi I wrote document for account lockout http://samehkhairy.blogspot.com/ Please refer to B point to determine the machine casing that
March 30th, 2010 8:18pm

I appreciate your feedback but your document doesn't address my issue. Your article talks about the procedure to turn on Netlogon logging and how to read those logs. I mentioned in my earlier post that the information I'm looking for is not in the Netlogon logs. For example, there is no IP address. Occasionally there will be a machine name but often it's missing (i.e. it's blank after the work "from"). Additionally, my tests show that lockouts from OWA and LAN clients locking out accounts at CTLR+ALT+DEL do not log here at all. The only kind of lockouts I see logged originate from either POP3 on Exchange or VPN. So anyone that's familiar with the minuta of Netlogon logging that can advise me whether what I want is even possible, I'd be very interested. Thanks!
Free Windows Admin Tool Kit Click here and download it now
March 30th, 2010 9:54pm

Hi, Make sure you have enabled "Audit Account Logon Events" and "Audit Logon Events" on server. There is one third-party tool availble to check account lockouts.. "Netwrix Account Lockout Examiner". This tool gives you much information about lockout events. One more tool from Microsoft is available EventCombMT to analyse events using saved event log file and also to search the event logs of several different computers for specific events, all from one central location. You can configure EventCombMT to search the event logs in a very detailed fashion. More details are available on http://support.microsoft.com/kb/824209 Regards..
April 1st, 2010 8:40am

I think the point of disconnect between my question and the responses I'm getting is that everyone is assuming that I have not configured Windows to audit logon events, lockouts, etc. I have done that. Trust me. If the data is not showing up in the Event Viewer or Netlogon logs, no third party tool is going to miraculously obtain it. And I don't need "more" information...I need "specific" information on "all" lockouts regardless of how they came to be. My issues have to do with the absence of IP addresses (again sometimes I see machine names and sometimes it's missing) and lockout events seem to only show up if a bad password was entered too many times on VPN or trying to access a pop3 mailbox. I don't see events logged at all if the account lockout originated from Outlook Web Access or a user on the LAN mis-entering their passwords too many times logging on to their workstation. To recap...auditing is on and it's collecting some lockout events but not all and it's not collecting the information I want...IP ADDRESS. So...once again I throw the line back out into the proverbial sea of IT.
Free Windows Admin Tool Kit Click here and download it now
April 1st, 2010 10:22pm

Hi, Which version of OS is installed on Server/DC ? Regards..
April 5th, 2010 8:21am

We have both Windows Server 2008 and Windows Server 2003 for DCs (standard editions).
Free Windows Admin Tool Kit Click here and download it now
April 5th, 2010 4:18pm

Hi, Check this link ... http://support.microsoft.com/default.aspx/kb/899742?p=1 Regards...
April 6th, 2010 7:41am

Hi Ken, Event viewer does logs the information only if application is intended to do so, which mean not all applications can log the event into event viewer, but if your application is WMI aware then or using Event manifest . What i suspect in your case is you have created a account lockout policy eg: after 3 attempts to owa account should locked out. Also you can try resetting IIS caching / IIS token cache.
Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2010 5:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics