Ping a Specific Port

Question

JL.

Asked: 2011-03-24 04:17:53 +0800 CST2011-03-24 04:17:53 +0800 CST 2011-03-24 04:17:53 +0800 CST

How to find out where bad login attempt is coming from for a Domain Account (Windows 2008 Server R2)

772

I have an account that keeps getting locked out (a domain account).

I can see when the last bad login occurred and the bad login count = 5. What I want to determine is the IP address of the machine that is responsible for the bad logins.

How can I find this out?

1 Answers

Voted

Hyppy · Answer 1 · 2011-03-24T04:25:00+08:00

Best Answer

Hyppy

2011-03-24T04:25:00+08:002011-03-24T04:25:00+08:00

First, auditing of logon failures needs to be enabled. As a matter of practice, I've always put it in an enforced default domain policy, but you should at least have it applied to your domain controllers. The entry is called Audit Account Logon Events, and it only defaults to logging Success for some reason. Info on this setting is available from Microsoft on Technet here.

Once that is enabled, the security logs of the Domain Controller processing the login should contain the necessary information. Specifically, check for Failure Audits of Logon/Logoff Events. The username should be a column called User that you can sort/filter by to ease the search.

6

How to find out where bad login attempt is coming from for a Domain Account (Windows 2008 Server R2)

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Resolve host name from IP address

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?