Newbie
Posted 12 June 2015 - 04:44 PM
Hi I downloaded the free version of Netwrix account lockout examiner in order to troubleshoot few users account that are always locked out. I tried to look for the workstation but the workstation gave me that blank answer. Is there anyone can help me to show which machine caused the user account locked out? I meant enabled the feature on the software.
Thank you,
Brian
Advanced Member
Posted 12 June 2015 - 04:47 PM
Brian,
Account lockout examiner gets the workstation from the 4740 event ID on the domain controller which processed the lockout ( If we show workstation as blank then that means that the event ID has a blank workstation. However if you pull up that event on the DC then it may have an IP address associated with the device. If I had to guess it is a non microsoft windows device and that is why windows doesn't have a workstation name.
-Jeff
Newbie
Posted 12 June 2015 - 04:49 PM
I tried to look for the mobile device also.
The user said that she doesn't have any company issued mobile device.
The event log doesn't show any logout event from her account.
Is there a way I can trace from the software to figure out what caused the issue?
BY
Advanced Member
Posted 14 July 2015 - 06:21 PM
Brian,
The software gets data based on the actual security log of DCs. If there is no data there, it cannot automatically find the source.
You can of course point it to specific machine manually to examine it, as you most likely did with the user`s workstation, but if no data present in logs this can only be done manually.
As mentioned you can check if there 4740 events on your DC related to the account has some information inside.
Also you can try searching authentication events like 4771 or 4776 related to the account.
Newbie
Posted 13 January 2016 - 10:21 PM
I have a similar problem, Both the domain controller and workstation are blank.
Newbie
Posted 28 January 2016 - 02:34 PM
It can be different things. Check if the user has a device logged on to a wireless network ( check logs on radius server). Old devices that they use at home with WIFI are another.
Newbie
Posted 18 January 2018 - 05:56 PM
I have a similar problem, Both the domain controller and workstation are blank.
I'm currently having this same issue. IT shows the Bad Pwd Count and Status fine... but Workstation and Domain Controller are blank.
Another AD Audit tool (trial) I'm using shows the Caller Computer Name (workstation) and Domain Controller just fine.
Identity and Access Management Tools →
Netwrix Account Lockout Examiner →
In "Monitored Domain controller" Section, I get Access Denied errorStarted by Masoodanees , 17 Jun 2017  Account Lockout
|
|
|
||
Change and Access Auditing Tools →
Netwrix Auditor for Active Directory Free Community Edition →
Notify User when Account is locked outStarted by brandon.murdoch@mx.com , 19 Feb 2016 account lockout
|
|
|
1-949-407-5125
