4625 Expand / Collapse
Author
Message
Posted 4/24/2014 12:38:43 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/11/2009 1:09:42 PM
Posts: 3, Visits: 0
I'm trying to find out the source of  a locked out service account. In our SIEM tool I can find where the lockouts started, but I con't find the actual logon attempts that would have triggered the lockout.

I'm trying to understand why the DCs know the account requesting the authentication but not from where it was being requested. The DC that is reporting the event is also the SourceWorkstation. The Account name is the name of the DC followed by $.

Post #1339
Posted 5/2/2014 10:03:13 AM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
The Event ID 4740 is the event that is generated when an account is locked out. There is a property called "Caller Computer Name" which should identify the computer that the lockout originated from.
Post #1341
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:33am