[THIN] Re: Account lock tracking
- From: Henry Sieff <hsieff@xxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Fri, 12 Dec 2003 13:27:07 -0600
Well I have written an NT service in PERL that monitors the DC for account
lockouts and can fire off an email when it sees one saying what server the
failed lockouts were attempted from, but I wrote it specifically for my
environment and I would need to customize it for you (no big deal; just need
the domain name and dc name, mail server address, and recipient list).
Aside from that, if you just look at the event log on the dc for the lockout
event (Event ID 644). In the details for that event, it will list the
computer which issued the lockouts (like, if the lockout occured through too
many failures to authenticate to the web server, the web server will be
listed in the event details. You can thenlook at the web server event logs
and IIS logs to determine what's going on).
Henry
-----Original Message-----
From: David Demers [mailto:david.demers@xxxxxxxxxxxxxxx]
Sent: Friday, December 12, 2003 10:25 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Account lock tracking
I have an account that is getting locked out on a regular basis. This user
changed the password recently (about the time the problem started... go
figure). I believe the user is still logged in somewhere or has some other
connection/services that are trying to use their old password and
periodically causes the lock-out. However I am having a tough time tracking
it down.
I remember being peripherally involved with another admin several years ago
in developing a script that polled DC's and logged information about user
connections... and I believe an approach like that could work for me in this
situation, but before I start scratching my head over that, I thought I
might ask you guys if you had a better approach.. or perhaps knew of a
script I could get my hands on and modify to my needs.
Thanks for any input.
-David
Other related posts:
