timbo343 Posted March 23, 2010 Posted March 23, 2010 Im not sure if this has ever been asked on here but is there a way to monitor failed logons on specific machines. For example, if Joe Bloggs is trying to guess Fred Smith's logon details on computer 1 and this is causing Fred to be locked out of the network during his logon session while working on computer 2? Some people here are trying to guess users passwords which is locking the other user out and is now starting to happen to members of staff. To be fair it doesnt take much, just 10 presses of the enter key and they are locked out. Can anyone recommend anything? Thanks Tim
waldronm2000 Posted March 23, 2010 Posted March 23, 2010 I believe you should be able to do this by setting an audit policy on the local PC to monitor failed "Logon" events as opposed to "Account Logon". You would then redirect your Event Viewer to remote view the logs of the suspected PC.
timbo343 Posted March 23, 2010 Author Posted March 23, 2010 hmmm, i thought of that but it would be nice to know which PC it was the user was trying to logon to, otherwise it means checking every machine that was not in use at that time.
waldronm2000 Posted March 23, 2010 Posted March 23, 2010 (edited) In that case monitor failed account logon events on your DCs, then filter the results of the DC event logs. I think you'd be looking for event 529, and the description field would contain the workstation's NetBIOS name. Edited March 23, 2010 by waldronm2000
waldronm2000 Posted March 23, 2010 Posted March 23, 2010 Oops, 529 is a logon event; you probably need event 675, but not sure as I don't have access to a DC at the moment.
timbo343 Posted March 23, 2010 Author Posted March 23, 2010 Right ok, thanks alot Will have a look. Ta
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now