Windows AD account lockout tool replacements.....

[Mackintire]

Windows AD account lockout tool replacements.....


What are my options:

So far I've found:

JiJi Account Lockout Tool 2.0
NetWrix Account Lockout Examiner 4.105.380


My specific need is to locate the machine, user and process that issued the lockout.

 

[Demon10000]

Eventcomb still works fine. Just have to adjust the event IDs for the machine the version of Active Directory that you're using. I believe 4740 is the ID you're looking for.

 

[Mackintire]

I'm interested in tracing event 4768. About 7 of them generated every second.

 

[Demon10000]

Eventcomb can still search for these events. Are you looking for something with more detail other than processing the domain controller security logs?

 

[mmtom]

Event 4768 is a normal event. It indicates Kerberos AS request for a ticket granting ticket (TGT). You should also see 4769 for Kerberos TGS requests.

How large is the environment? Seven a second may be normal depending on the number of DCs and the number of users and computers.

 

[Mackintire]

Event 4768 is a normal event. It indicates Kerberos AS request for a ticket granting ticket (TGT). You should also see 4769 for Kerberos TGS requests.

How large is the environment? Seven a second may be normal depending on the number of DCs and the number of users and computers.

About 200 users and about 700 machines including VMs.

Event 4768 is recording a TGT request from a user account that does not exist. All the machines affected appear to be development boxes. The issue goes away for a while after those boxes are restarted.