Windows AD account lockout tool replacements.....

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,957
Windows AD account lockout tool replacements.....


What are my options:

So far I've found:

JiJi Account Lockout Tool 2.0
NetWrix Account Lockout Examiner 4.105.380


My specific need is to locate the machine, user and process that issued the lockout.
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
Eventcomb still works fine. Just have to adjust the event IDs for the machine the version of Active Directory that you're using. I believe 4740 is the ID you're looking for.
 

Demon10000

Supreme [H]ardness
Joined
Aug 20, 2006
Messages
4,502
Eventcomb can still search for these events. Are you looking for something with more detail other than processing the domain controller security logs?
 

mmtom

Limp Gawd
Joined
Jan 9, 2003
Messages
319
Event 4768 is a normal event. It indicates Kerberos AS request for a ticket granting ticket (TGT). You should also see 4769 for Kerberos TGS requests.

How large is the environment? Seven a second may be normal depending on the number of DCs and the number of users and computers.
 

Mackintire

2[H]4U
Joined
Jun 28, 2004
Messages
2,957
Event 4768 is a normal event. It indicates Kerberos AS request for a ticket granting ticket (TGT). You should also see 4769 for Kerberos TGS requests.

How large is the environment? Seven a second may be normal depending on the number of DCs and the number of users and computers.

About 200 users and about 700 machines including VMs.

Event 4768 is recording a TGT request from a user account that does not exist. All the machines affected appear to be development boxes. The issue goes away for a while after those boxes are restarted.
 
Top