Well I have written an NT service in PERL that monitors the DC for account lockouts and can fire off an email when it sees one saying what server the failed lockouts were attempted from, but I wrote it specifically for my environment and I would need to customize it for you (no big deal; just need the domain name and dc name, mail server address, and recipient list). Aside from that, if you just look at the event log on the dc for the lockout event (Event ID 644). In the details for that event, it will list the computer which issued the lockouts (like, if the lockout occured through too many failures to authenticate to the web server, the web server will be listed in the event details. You can thenlook at the web server event logs and IIS logs to determine what's going on). Henry -----Original Message----- From: David Demers [mailto:david.demers@xxxxxxxxxxxxxxx] Sent: Friday, December 12, 2003 10:25 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Account lock tracking I have an account that is getting locked out on a regular basis. This user changed the password recently (about the time the problem started... go figure). I believe the user is still logged in somewhere or has some other connection/services that are trying to use their old password and periodically causes the lock-out. However I am having a tough time tracking it down. I remember being peripherally involved with another admin several years ago in developing a script that polled DC's and logged information about user connections... and I believe an approach like that could work for me in this situation, but before I start scratching my head over that, I thought I might ask you guys if you had a better approach.. or perhaps knew of a script I could get my hands on and modify to my needs. Thanks for any input. -David