User Locked Out - Who's Attempting to do it? 1

[Stevehewitt]

Hi Guys,

I'm not too sure what to do with this. Our domain policy is to lock a user account out for 30 minutes after three invalid logon attempts.

Everytime this user starts work (shift work so it's either 12-midday or 9am) she phones me up saying her account is locked out. I renable the account and she logs back in straight away - so she knows what her password is.

How can I tell the logons attempted using this account? If I can trace it to a PC at a certian time I can find out who is doing this to her account.

Cheers,


Steve.

"They have the internet on computers now!" - Homer Simpson

 

[aftertaf]

You can use audit policy, for failed logon attempts...

step by step :

http://support.gfi.com/manuals/en/l...eroffailedlogonattemptsforaparticularuser.htm

microsoft info:

http://www.microsoft.com/technet/pr...elp/e104c96f-e243-41c5-aaea-d046555a079d.mspx

this should sort you steve...


Aftertaf
________
Regain control of your PC, at

http://www.debian.org

If you break your hard drive, it'll be DPlank's fault

 

[nokker]

Look at it in Security in the event viewer at your DC.
You should be able to se logon/logoff audits pr. user.

Regards Tommy

 

[Stevehewitt]

Thanks for those guys. We've made some security changes in the last week (Renamed Admin account to something else, and created a honeypot Admin user). However I didn't change the permissions on a script that runs every 60 seconds and....

You can imagine that mess in the event logs!

Can't see anything at the moment, however I've cleared the logs and changed the permissions on the script - keep an eye out for event 525.

Cheers Guys,




Steve.

"They have the internet on computers now!" - Homer Simpson