|
|
Forum Newbie
      
Group: Forum Members
Last Login: 9/2/2016 11:52:54 AM
Posts: 2,
Visits: 0
|
|
Our PDC, running Windows 2012r2, is reporting about 150, 4740 events a day from about 10 different users on my network, some more than others and from the same caller computer. The users are not locked out of the computer and they are not reporting their as being locked out. I have checked the computers for services or scheduled tasks under their account names but have not been able to determine this reporting.
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
Are there corresponding unlock events? Are you seeing authentication failure events for these users? Can you supply a sanitized sample?
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 2/17/2017 4:22:46 PM
Posts: 1,
Visits: 1
|
|
Hi, what's the final explanation of your issue? Thanks.
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 3/10/2017 9:53:54 AM
Posts: 1,
Visits: 0
|
|
We use LEMS from solar winds that collect DC logs, I usually can search the logs for event " userdisabled" and find a user lockout and in the query it shows “source machine” which is the field I want to see where the lockout came from. This works 99% of the time, I run into this thing where “source machine” is blank. With “source machine” being blank, is this indicative of something outside of windows services?
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
This may be indicative of a non domain machine trying to log in. Would that be possible?
|
|
|
|