You need to enable
Audit Account Logon Events - Failures
Audit Logon Events - Failurs
Then dig through your logs looking for 681, 529, 675
@echo off
echo %computername%
echo.
set file=%computername%.csv
if not %2*==* set file=%2
@echo Writing file - %file%
dumpel -l security -m security -e 681 529 675 -d %1 -c -format dtTCIus -f
%file%
Now parse through those entries looking for logon failures. You should see
some sort of failures, a quick and dirty perl script I have to tear through
is below. Your mileage may vary but has helped us track every lockout down
to a machine so far... It does its job and it is a job we don't have to do
very often anymore so I haven't looked and cleaning up the code or making it
nice or tight or anything else.
If you look on the PDC and it points at another DC that generally means it
is a pdc-chain so you need to dump the logs on that DC and scan them as
well.
I usually run this script like
Getinfo domaincontroller.csv | findstr /I "userid"
foreach (<>)
{
chomp;
s/\\//g;
@a=split/,/;
$date=$a[0];
$time=$a[1];
$code=$a[4];
$idfield=$a[7];
$user="****";
$domain="****";
$workstation="****";
$error="****";
if ($code eq 681)
{
if
($idfield=~/MICROSOFT_AUTHENTICATION_PACKAGE_V1_0\s+([`=\$\w\.-]+?)\s+([`=\$
\w\.-]+?)\s+(\d+)/i)
{
$domain="local";
$user=$1;
$workstation=$2;
$error=$3;
}
else
{
print "\aNOMATCH: $_\n";
next;
}
}
elsif ($code eq 675)
{
if ($idfield=~/([`=\$\w\.-]+?)\s+.+?krbtgt\/(\S+).+\s+([0-9.]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$3;
$error="---";
}
else
{
print "**** $idfield\n";
}
}
elsif ($code eq 529)
{
if ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+3
(NtlmSsp|Advapi)\s+.+\s+([`=\$\w\.-]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$4;
$error=$3;
}
elsif ($idfield=~/([`=\$\w\.-]+?)\s+3
(NtlmSsp|Advapi).+\s+([`=\$\w\.-]+)/i)
{
$domain="local";
$user=$1;
$workstation=$3;
$error=$2;
}
elsif ($idfield=~/([`=\$\w\.-]+?)\s+([`=\$\w\.-]+?)\s+2 User32
.+\s+([`=\$\w\.-]+)/i)
{
$domain=$2;
$user=$1;
$workstation=$3;
$error="User32";
}
else
{
print "\aNOMATCH: $idfield\n";
# <STDIN>;
next;
}
}
else {print "[$_]\n";};
print "$date;$time;$code;$error;$domain\\$user;$workstation\n";
}
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Thursday, March 11, 2004 1:39 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Account lockouts
Question,
We have 3 domain controllers in a single forest, single Domain environment
running windows 2000 Server. I have 2 Domain Accounts that constantly get
locked out. I keep getting this error, even after checking LDAP for
duplicate accounts, I've moved the user account to a different OU and forced
replication, etc. Also checked Microsoft KB, tried all suggestions. I've
also had the user log off all terminal sessions, manually change the account
password and then forced replication. I'm close to deleting and recreating
the account.
Thanks in advance for any help!
Mike
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1083
Date: 3/10/2004
Time: 2:37:32 PM
User: Everyone
Computer: AD1
Description:
Replication warning: The directory is busy. It couldn't update object
CN=XXXX,CN=Users,DC=Domain,DC=com with changes made by directory
800fdc79-066f-4c5a-a1e4-e4e17a28eb47._msdcs.renditionnetworks.com. Will try
again later.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
