Tracking bad password count Expand / Collapse
Author
Message
Posted 9/27/2012 12:34:45 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/3/2012 10:10:51 AM
Posts: 2, Visits: 1
When we are trying to analyze why a particular user has been locked out we can find the event 644 which says when the number of attempts had passed the allowed limit.

What we can not see easily amongst all the events is when the count gets incremented.  This would help to pin down when the cause is related to VPN or mobile devices.

Is there an event logged when the count is incremented showing time and which domain controller incremented the count.

Thanks

Post #1108
Posted 10/3/2012 10:20:32 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 10/3/2012 10:10:51 AM
Posts: 2, Visits: 1
Thanks for the reply but it doesn't really help with the retrospective analysis we are doing.

We can see all the bad password requests but unless you can see the bad password count change it isn't clear which events contribute .

Given Microsoft does not count attempts where the password is one of your last 2 good passwords it becomes quite difficult to see the wood from the trees.

Also it isn't clear if we have missed a source feed into our log aggregation tool (I don't believe we have) but obviously if we could see the bad password count increase without an event record that would be instructive.

We also find that we have 2 or 3 event records pertaining to the same event - i.e. just an increment of 1 to the bad password count but it isn't always clear if we should be assuming 1 , 2 or 3 increments at this time.

So without an actual event being logged on bad password increments we are fighting in the midst of a fog.

 

Regards Jamie

Post #1112
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 2:15am