+ Post New Thread
Results 1 to 6 of 6
Windows Thread, Monitor Failed logons on specific machines in Technical; Im not sure if this has ever been asked on here but is there a way to monitor failed logons ...
  1. #1
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,098
    Thank Post
    314
    Thanked 296 Times in 206 Posts
    Rep Power
    122

    Monitor Failed logons on specific machines

    Im not sure if this has ever been asked on here but is there a way to monitor failed logons on specific machines. For example, if Joe Bloggs is trying to guess Fred Smith's logon details on computer 1 and this is causing Fred to be locked out of the network during his logon session while working on computer 2?

    Some people here are trying to guess users passwords which is locking the other user out and is now starting to happen to members of staff. To be fair it doesnt take much, just 10 presses of the enter key and they are locked out.

    Can anyone recommend anything?

    Thanks

    Tim

  2. #2
    waldronm2000's Avatar
    Join Date
    Dec 2009
    Location
    Southend
    Posts
    129
    Thank Post
    49
    Thanked 12 Times in 11 Posts
    Rep Power
    12
    I believe you should be able to do this by setting an audit policy on the local PC to monitor failed "Logon" events as opposed to "Account Logon". You would then redirect your Event Viewer to remote view the logs of the suspected PC.

  3. #3
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,098
    Thank Post
    314
    Thanked 296 Times in 206 Posts
    Rep Power
    122
    hmmm, i thought of that but it would be nice to know which PC it was the user was trying to logon to, otherwise it means checking every machine that was not in use at that time.

  4. #4
    waldronm2000's Avatar
    Join Date
    Dec 2009
    Location
    Southend
    Posts
    129
    Thank Post
    49
    Thanked 12 Times in 11 Posts
    Rep Power
    12
    In that case monitor failed account logon events on your DCs, then filter the results of the DC event logs. I think you'd be looking for event 529, and the description field would contain the workstation's NetBIOS name.
    Last edited by waldronm2000; 23rd March 2010 at 11:31 AM.

  5. #5
    waldronm2000's Avatar
    Join Date
    Dec 2009
    Location
    Southend
    Posts
    129
    Thank Post
    49
    Thanked 12 Times in 11 Posts
    Rep Power
    12
    Oops, 529 is a logon event; you probably need event 675, but not sure as I don't have access to a DC at the moment.

  6. #6
    timbo343's Avatar
    Join Date
    Dec 2005
    Location
    Leeds/York area, North Yorkshire
    Posts
    3,098
    Thank Post
    314
    Thanked 296 Times in 206 Posts
    Rep Power
    122
    Right ok, thanks alot Will have a look.

    Ta

SHARE:
+ Post New Thread

Similar Threads

  1. Stopping logons
    By SpuffMonkey in forum Windows Server 2000/2003
    Replies: 11
    Last Post: 31st July 2009, 09:54 AM
  2. Limit Logons to machines
    By Mr_M_Cox in forum Windows
    Replies: 7
    Last Post: 20th May 2008, 02:29 PM
  3. Log logons
    By FN-GM in forum Scripts
    Replies: 18
    Last Post: 29th April 2008, 12:00 AM
  4. Concurrent logons
    By mrforgetful in forum Wireless Networks
    Replies: 7
    Last Post: 28th February 2008, 05:33 PM
  5. Really slow logons
    By dezt in forum Wireless Networks
    Replies: 8
    Last Post: 28th August 2007, 08:43 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •