Jump to content


Photo

Tracking Account Lockout - Workstation is my Exchange CAS/HT

exchange

  • Please log in to reply
1 reply to this topic

#1 newtonetwrix

newtonetwrix

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 14 September 2016 - 11:48 PM

We have been using the tool for quite some time and when we receive a lockout notification its great when the workstation shows the individual staff computer workstation name.  For example.

 

Account Name: DOMAIN\johndoe

Workstation: COMPUTERNAME-PC

Time: 9/14/2016 4:08:15 PM

 

In some cases though the workstation name is our Exchange HT/CAS Server.

 

Account Name: DOMAIN\johndoe

Workstation: Exchange Server Name

Time: 9/14/2016 4:08:15 PM

 

When it is the Exchange Server we always assumed it was coming from OWA or a mobile device but when the user is certain they have not used OWA or have any mobile device configured this is where digging for the solution becomes a goose hunt.

 

How do you easily narrow down what application or device is locking out the account?

 

 



#2 jeffb

jeffb

    Advanced Member

  • Administrators
  • PipPipPip
  • 384 posts
  • Gender:Male

Posted 15 September 2016 - 12:37 PM

Account Lockout Examiner collects the following event:

https://www.ultimate...px?eventid=4740

 

The source workstation comes from this event.  However the domain controller is receiving the invalid login attempt from the Exchange server so it is almost certainly a device connected to Exchange in some way.  The product however doesn't have any logic to go beyond that as it doesn't have agents monitoring the Exchange services to see what external device or ip address the invalid logins are coming from.  But you could potentially monitor exchange logs to see what IP is the root cause and then block that IP.  If it is a device they are using they will soon let you know.  If not, nothing to worry about.

 

-Jeff






0 user(s) are reading this topic

0 members, guests, anonymous users