You need to enable Audit Account Logon Events - Failures Audit Logon Events - Failurs
Then dig through your logs looking for 681, 529, 675 @echo off echo %computername% echo. set file=%computername%.csv if not %2*==* set file=%2 @echo Writing file - %file% dumpel -l security -m security -e 681 529 675 -d %1 -c -format dtTCIus -f %file% Now parse through those entries looking for logon failures. You should see some sort of failures, a quick and dirty perl script I have to tear through is below. Your mileage may vary but has helped us track every lockout down to a machine so far... It does its job and it is a job we don't have to do very often anymore so I haven't looked and cleaning up the code or making it nice or tight or anything else. If you look on the PDC and it points at another DC that generally means it is a pdc-chain so you need to dump the logs on that DC and scan them as well. I usually run this script like Getinfo domaincontroller.csv | findstr /I "userid" foreach (<>) { chomp; s/\\//g; @a=split/,/; $date=$a[0]; $time=$a[1]; $code=$a[4]; $idfield=$a[7]; $user="****"; $domain="****"; $workstation="****"; $error="****"; if ($code eq 681) { if ($idfield=~/MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\s+([`=\$\w\.-]+?)\s+([`=\$ \w\.-]+?)\s+(\d+)/i) { $domain="local"; $user=$1; $workstation=$2; $error=$3; } else { print "\aNOMATCH: $_\n"; next; } } elsif ($code eq 675) { if ($idfield=~/([`=\$\w\.-]+?)\s+.+?krbtgt\/(\S+).+\s+([0-9.]+)/i) { $domain=$2; $user=$1; $workstation=$3; $error="---"; } else { print "**** $idfield\n"; } } elsif ($code eq 529) { if ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+3 (NtlmSsp|Advapi)\s+.+\s+([`=\$\w\.-]+)/i) { $domain=$2; $user=$1; $workstation=$4; $error=$3; } elsif ($idfield=~/([`=\$\w\.-]+?)\s+3 (NtlmSsp|Advapi).+\s+([`=\$\w\.-]+)/i) { $domain="local"; $user=$1; $workstation=$3; $error=$2; } elsif ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+2 User32 .+\s+([`=\$\w\.-]+)/i) { $domain=$2; $user=$1; $workstation=$3; $error="User32"; } else { print "\aNOMATCH: $idfield\n"; # <STDIN>; next; } } else {print "[$_]\n";}; print "$date;$time;$code;$error;$domain\\$user;$workstation\n"; } ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer Sent: Thursday, March 11, 2004 1:39 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Account lockouts Question, We have 3 domain controllers in a single forest, single Domain environment running windows 2000 Server. I have 2 Domain Accounts that constantly get locked out. I keep getting this error, even after checking LDAP for duplicate accounts, I've moved the user account to a different OU and forced replication, etc. Also checked Microsoft KB, tried all suggestions. I've also had the user log off all terminal sessions, manually change the account password and then forced replication. I'm close to deleting and recreating the account. Thanks in advance for any help! Mike Event Type: Warning Event Source: NTDS Replication Event Category: Replication Event ID: 1083 Date: 3/10/2004 Time: 2:37:32 PM User: Everyone Computer: AD1 Description: Replication warning: The directory is busy. It couldn't update object CN=XXXX,CN=Users,DC=Domain,DC=com with changes made by directory 800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try again later. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/