Roger
Thu Sep 07 19:37:42 CDT 2006
OK.
In the GPO that applies to the domain controllers, in the Audit policy
you will see two logon audits - one is for logon to the DCs, the other
is for logons elsewhere with domain accounts (sorry, I tend to confuse
them, but IIRC Account logon events is what you need to make sure
is enabled for logins to other than the DCs - but keep in mind that the
lockout could be from such as attempts to access shares on a DC,
i.e. enable both). You probably also should enable Account management
as I think that is the category under which the lockout event cuts its
event log message.
You should also make sure that the GPO you are looking at is effective,
that is, that there is no higher priority GPO that might be setting these
differently.
If the logon event auditings are enabled and effective then you should
be seeing login failure events in the security log.
See if the following also helps, although often one can find a cause
without going to as much work as this indicates
http://go.microsoft.com/fwlink/?linkid=16174
Also, check into LockoutStatus.exe via link at bottom.
You may also find interest in
http://support.microsoft.com/kb/824209/en-us
Roger
"Scott Sendelbach" <ScottSendelbach@discussions.microsoft.com> wrote in
message news:96834BDB-4A61-4FC9-8B82-4F712393C913@microsoft.com...
>I have looked on all the DC and their security logs, but nothing is showing
> up indicating an invalid logon attempt using his logon credentials from
> any
> computer.
>
> "Roger Abell [MVP]" wrote:
>
>> You need to make sure that logon/logoff auditing is enabled,
>> and then look in the security log of all domain controllers.
>> (this is assuming that the pres is using a domain account).
>> Once you have the login failure events, they will identify the
>> machine from which the authentication was triggered. On
>> that machine, look for persistent shares, scheduled tasks,
>> services running as that account, or cached network creds
>> (control keymgr.dll).
>>
>> "Scott Sendelbach" <ScottSendelbach@discussions.microsoft.com> wrote in
>> message news:7BBB4E20-53EB-4184-AB11-2E88BA69AA60@microsoft.com...
>> >I am looking on the security log properties in event viewer and it looks
>> >like
>> > it is recording failure audits, but there are no logon failures on any
>> > of
>> > the
>> > servers.
>> >
>> > Am I looking in the wrong place?
>> >
>> > "Jonathan" wrote:
>> >
>> >> Have you enabled auditing of account logon events? I'm assuming you
>> >> are
>> >> using a Win2k Server based network... If it is not enabled then nothin
>> >> will
>> >> appear in event viewer - and I think by default Auditing is disabled.
>> >>
>> >> "Scott Sendelbach" <ScottSendelbach@discussions.microsoft.com> wrote
>> >> in
>> >> message news:4BC39DA6-4774-485C-9E2F-1637472BD597@microsoft.com...
>> >> > Where can I check to see if someone is trying to use the presidents
>> >> > logon
>> >> > account? His account is needing to be unlocked daily for the past
>> >> > week.
>> >> > Is
>> >> > this a sign of a hacker in our firewall?
>> >> >
>> >> > What can I do to check?
>> >> >
>> >> > I have looked on the logs on the servers, but I am not able to find
>> >> > anything
>> >> > in the logs.
>> >>
>> >>
>>
>>
>>